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This  paper  introduces  Periodically  Controlled  Hybrid  Automata  (PCHA)  for  modular  specification 
of  hybrid  control  systems.  In  a  PCHA,  control  actions  that  change  the  control  input  to  the  plant 
occur  roughly  periodically,  while  other  actions  that  update  the  state  of  the  controller  may  occur 
in  the  interim,  changing  the  set-point  of  the  system.  Such  actions  could  model,  for  example, 
sensor  updates  and  information  received  from  higher-level  planning  modules  that  change  the 
set-point  of  the  controller.  Based  on  periodicity  and  subtangential  conditions,  a  new  sufficient 
condition  for  verifying  invariant  properties  of  PCHAs  is  presented.  Checking  these  conditions  can 
be  automated  using,  for  example,  the  constraint-based  approach,  quantifier  elimination,  or  sum 
of  squares  decomposition.  The  proposed  technique  is  used  to  verify  safety  and  progress  properties 
of  the  planner-controller  subsystem  of  an  autonomous  ground  vehicle.  Geometric  properties  of 
planner  generated  paths  are  derived  which  guarantee  that  such  paths  can  be  safely  followed  by 
the  controller. 
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fication —  Correctness  proofs;  Formal  methods;  F.3.1  [Logics  and  Meanings  of  Programs]: 
Specifying  and  Verifying  and  Reasoning  about  Programs — Invariants;  Specification  techniques; 
1.2.9  [Artificial  Intelligence]:  Robotics — Autonomous  vehicles 
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1.  INTRODUCTION 

Design  bugs  in  embedded  systems  can  be  fairly  subtle  and  may  arise  from  the 
unforeseen  interactions  among  the  computing,  communication,  and  control  subsys¬ 
tems.  Consider,  for  example,  the  embedded  computing  system  of  the  autonomous 
vehicle  Alice  built  at  Caltech.  Alice  successfully  accomplished  two  of  the  three  tasks 
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at  the  National  Qualifying  Event  of  the  2007  DARPA  Urban  Challenge  [Burdick 
et  al.  2007],  [Wongpiromsarn  and  Murray  2008],  [DuToit  et  al.  2008].  In  executing 
the  third  task,  which  involved  making  left-turns  while  merging  into  traffic,  its  be¬ 
havior  was  unsafe  and  almost  led  to  a  collision.  Alice  was  stuck  at  the  corner  of 
a  sharp  turn  dangerously  stuttering  in  the  middle  of  an  intersection.  It  was  later 
diagnosed  that  this  behavior  was  caused  by  bad  interactions  between  the  reactive 
obstacle  avoidance  subsystem  (ROA)  and  the  relatively  slowly  reacting  path  plan¬ 
ner.  The  planner  incrementally  generates  a  sequence  of  waypoints  based  on  the 
road  map,  obstacles,  and  the  mission  goals.  The  ROA  is  designed  to  rapidly  de¬ 
celerate  the  vehicle  when  it  gets  too  close  to  (possibly  dynamic)  obstacles  or  when 
the  deviation  from  the  planned  path  gets  too  large.  Finally,  to  protect  the  vehicle 
steering  system,  Alice’s  low-level  controller  limits  the  rate  of  steering  at  low  speeds. 
Thus,  accelerating  from  a  low  speed,  if  the  planner  produces  a  path  with  a  sharp 
left  turn,  the  controller  is  unable  to  execute  the  turn  closely.  Alice  deviates  from 
the  path;  the  ROA  activates  and  slows  it  down.  This  cycle  continues  leading  to 
stuttering. 

The  above  example  illustrates  how  the  design  of  reliable  embedded  systems  in¬ 
herit  the  difficulties  involved  in  designing  both  control  systems  and  distributed 
(concurrent)  computing  systems.  The  described  design  bug  manifests  as  the  un¬ 
desirable  behavior  only  under  a  very  specific  set  of  conditions  and  only  when  the 
controller,  the  ROA,  and  the  vehicle  interact  in  a  very  specific  manner.  Therefore, 
such  a  bug  had  never  got  discovered  by  thousands  of  hours  of  our  extensive  simula¬ 
tions  and  over  three  hundred  miles  of  field  testing.  Formal  methods  provide  tools 
and  techniques  for  uncovering  such  subtle  design  bugs  and  mathematically  prove 
correctness  of  designs.  More  recently,  formal  techniques  have  also  been  used  to 
automatically  generate  controllers  that  are  correct  by  construction  [Kloetzer  and 
Belta  2006],  [Fainekos  et  al.  2009]. 

The  hybrid  system  formalism  [Alur  et  al.  1995],  [Kaynar  et  al.  2005]  provides 
a  rich  mathematical  language  for  specifying  embedded  systems  where  computing 
and  control  components  interact  with  physical  processes.  The  algorithmic  verifica¬ 
tion  problem  for  hybrid  systems  with  general  dynamics  is  known  to  be  computa¬ 
tionally  hard  [Henzinger  et  al.  1995].  Restricted  subclasses  that  are  amenable  to 
algorithmic  analysis  have  been  identified,  such  as  the  rectangular-initialized  hybrid 
automata  [Henzinger  et  al.  1995],  o-minimal  hybrid  automata  [Lafferriere  et  al. 
1999],  and  more  recently  planar  [Prabhakar  et  al.  2008]  and  stormed  [Vladimerou 
et  al.  2008]  hybrid  automata.  Although  these  restricted  subclasses  improve  our 
understanding  of  the  decidability  frontier  for  hybrid  systems,  the  imposed  restric¬ 
tions  are  artificial.  That  is,  they  are  not  representative  of  structures  that  arise 
in  real  engineered  systems.  For  example,  initialized  hybrid  automata  require  the 
continuous  state  of  the  system  to  be  reset  every  time  the  automaton  enters  a  new 
mode  (control  state).  STORMED  hybrid  automata,  on  the  other  hand,  require  all 
the  vector  fields  and  reset  maps  to  be  monotonic  with  respect  to  a  certain  fixed 
direction. 

While  real  world  hybrid  systems  are  large  and  complex,  they  are  also  engineered, 
and  hence,  have  more  structure  than  general  hybrid  automata  [Alur  et  al.  1995]. 
With  the  motivation  of  abstractly  capturing  a  common  design  pattern  in  embedded 


control  systems,  such  as  Alice,  and  other  motion  control  systems  [Mitra  et  al.  2003], 
in  this  paper  we  study  a  new  subclass  of  hybrid  automata. 

Two  main  contributions  of  this  paper  are  the  following^:  First,  we  define  a  class  of 
hybrid  control  systems  in  which  certain  control  actions  occur  roughly  periodically. 
Each  control  action  sets  the  controlling  output  that  drives  the  plant  or  the  physical 
process.  In  the  interval  between  two  control  actions  the  state  of  the  plant  evolves 
continuously  with  the  control  input  set  by  the  first.  Also,  in  the  same  interval,  other 
discrete  actions  may  occur  updating  the  state  of  the  system.  For  example,  such 
discrete  changes  may  correspond  to  sensor  inputs  and  changes  of  the  waypoint  or 
the  set-point  of  the  controller.  These  changes  may  in  turn  influence  the  computation 
of  the  next  control  action. 

For  this  class  of  periodically  controlled  hybrid  systems,  we  present  a  sufficient 
condition  for  verifying  invariant  properties.  The  key  requirement  in  applying  this 
condition  is  to  identify  a  collection  of  subset(s)  C  of  the  candidate  invariant  set 
X,  such  that  if  the  control  action  occurs  when  the  system  state  is  in  C,  then  the 
subsequent  control  output  guarantees  that  the  system  remains  in  X  for  the  next 
period.  The  technique  does  not  require  solving  the  differential  equations;  instead, 
it  relies  on  checking  conditions  on  the  periodicity  and  the  subtangential  condition 
at  the  boundary  of  X.  We  show  how  these  checks  can  be  automated  using  sum  of 
squares  decomposition  and  semidefinite  programming  [Prajna  et  al.  2002].  These 
formulations  are  illustrated  by  analyzing  an  example  in  which  an  invariant  is  au¬ 
tomatically  determined  using  the  constraint-based  approach  presented  in  [Gulwani 
and  Tiwari  2008].  We  believe  that  other  techniques  for  finding  invariants,  for  exam¬ 
ple  those  presented  in  [Platzer  and  Clarke  2008],  [Sankaranarayanan  et  al.  2008], 
could  also  be  effectively  used  for  computing  invariants  of  PCHAs.  The  findings 
from  this  direction  of  research  will  be  reported  in  a  future  paper. 

Secondly,  we  apply  the  above  technique  to  verify  the  safety  and  progress  prop¬ 
erties  of  the  planner-controller  subsystem  of  Alice.  First,  we  verify  a  family  of 
invariants  {XfejfcgN  using  the  above-mentioned  technique.  Then,  we  determine  a  se¬ 
quence  of  shrinking  X^’s  as  the  vehicle  makes  progress  along  the  planned  path.  From 
these  shrinking  invariants,  we  are  able  to  deduce  safety.  That  is,  the  deviation — 
distance  of  the  vehicle  from  the  planned  path — remains  within  a  certain  constant 
bound.  In  the  process,  we  also  derive  geometric  properties  of  planner  paths  that 
guarantee  that  they  can  be  followed  safely  by  the  vehicle. 

The  remainder  of  the  paper  is  organized  as  follows:  In  Section  2,  we  briefly 
present  the  key  definitions  for  the  hybrid  I/O  automaton  framework.  In  Section  3, 
we  present  PCHA  and  a  sufficient  condition  for  proving  invariance.  In  this  section, 
we  also  present  the  formulation  of  the  sufficient  conditions  as  a  sum  of  squares 
optimization  problem  for  automatic  verification.  In  Sections  4  and  5,  we  present 
the  formal  model  and  verification  of  Alice’s  Controller- Vehicle  subsystem. 

2.  PRELIMINARIES 

We  use  the  Hybrid  Input/Output  Automata  (HIOA)  framework  of  [Lynch  et  al. 
2003;  Kaynar  et  al.  2005]  for  modelling  hybrid  systems  and  the  state  model-based 


^The  preliminary  results  of  this  paper  were  published  in  [Wongpiromsarn  et  al.  2009]. 


notations  introduced  in  [Mitra  2007].  A  Structured  Hybrid  I/O  Automaton  (SH- 
10 A)  is  a  non-deterministic  state  machine  whose  state  may  change  instantaneously 
through  a  transition,  or  continuously  over  an  interval  of  time  following  a  trajectory . 

A  variable  structure  is  used  for  specifying  the  states  of  an  SHIOA.  Let  V  he  a, 
set  of  variables.  Each  variable  v  G  E  is  associated  with  a  type  which  defines  the 
set  of  values  v  can  take.  The  set  of  valuations  of  V  is  denoted  by  val(E).  For  a 
valuation  v  G  val(E)  of  set  of  variables  V,  its  restriction  to  a  subset  of  variables 
Z  C  V  is  denoted  by  v  [  Z.  A  variable  may  be  discrete  or  continuous^ .  Typically, 
discrete  variables  model  protocol  or  software  state,  and  continuous  variables  model 
physical  quantities  such  as  time,  position,  and  velocity. 

A  trajectory  for  a  set  of  variables  V  models  continuous  evolution  of  the  values 
of  the  variables  over  an  interval  of  time.  Formally,  a  trajectory  r  is  a  map  from 
a  left-closed  interval  of  ]R>o  with  left  endpoint  0  to  val(F).  The  domain  of  r  is 
denoted  by  T.dom.  The  first  state  of  r,  r.fstate,  is  t(0).  A  trajectory  r  is  closed 
if  T.dom  =  [0,t]  for  some  t  G  M>0)  in  which  case  we  define  the  last  time  of  r, 
T.ltime  =  t,  and  the  last  state  of  r,  r.lstate  =  rit).  For  a  trajectory  r  for  V,  its 
restriction  to  a  subset  of  variables  Z  CV  is  denoted  by  t  J,  Z. 

For  given  sets  of  input  U,  output  Y,  and  internal  X  variables,  a  state  model  S 
is  a  triple  (^,  Inv,  Stop),  where  (a)  ^  is  a  collection  of  Differential  and  Algebraic 
Inequalities  (DAIs)  involving  the  continuous  variables  in  U,  Y,  and  X,  and  (b)  Inv 
and  Stop  are  predicates  on  X  called  invariant  condition  and  stopping  condition 
of  S.  Components  of  S  are  denoted  by  =^5,  Invs  and  Stops-  S  defines  a  set 
of  trajectories,  denoted  by  traj{S),  for  the  set  of  variables  V  =  X  UU  UY.  A 
trajectory  r  for  V  is  in  the  set  trajs{S)  iff 

(a)  the  discrete  variables  in  X  UY  remain  constant  over  r; 

(b)  the  restriction  of  r  on  the  continuous  variables  in  X  UY  satisfies  all  the  DAIs 
in  ^5; 

(c)  at  every  point  in  time  t  G  dom{T),  (t  J,  X){t)  G  Inv;  and 

(d)  if  (r  J,  X){t)  G  Stop  for  some  t  G  dom{T),  then  r  is  closed  and  t  =  r.ltime. 

A  Structured  Hybrid  I/O  Automaton  is  a  state  machine  that  uses  a  collection  of 
state  models  for  specifying  its  trajectories. 

Definition  2.1.  A  Structured  Hybrid  I/O  Automaton  (SHIOA)  A  is  a  tuple 
{V,  Q,  Qo,  A,  V,  y)  where 

(a)  F  is  a  set  of  variables  partitioned  into  sets  of  internal  or  state  variables  X, 
output  variables  Y  and  input  variables  U ; 

(b)  Q  C  val(A)  is  a  set  of  states  and  Qo  C  Q  is  a  nonempty  set  of  start  states; 

(c)  A  is  a  set  of  actions  partitioned  into  sets  of  internal  H,  output  O  and  input  I 
actions; 

(d)  I?  C  Q  X  A  X  (5  is  a  set  of  discrete  transitions;  and 

(e)  IZ  isa  collection  of  state  models  for  U,  Y,  and  X,  such  that  for  every  S,  S'  G 
Invs  C  Invs'  =  0  and  Q  C  Invs- 


^See  [Mitra  2007]  for  formal  definition  of  these  variable  dynamic  types. 


In  addition,  A  satisfies  the  following  axioms: 

El  Every  input  action  is  enabled  at  every  state. 

E2  Given  any  trajectory  v  of  the  input  variables  U,  any  S  G  and  x  G  Invs, 
there  exists  r  G  trajs{S)  starting  from  x,  such  that  either  (a)  r  J,  C/  =  v,  or  (b) 
T  J,  [/  is  a  proper  prefix  of  v  and  some  action  in  iJ  U  O  is  enabled  at  r.lstate. 

El  is  the  standard  action  nonblocking  axiom  of  I/O  automata.  E2  is  a  non- 
blocking  axiom  for  individual  state  models:  given  any  trajectory  v  of  the  input 
variables  and  any  state  model,  either  time  can  elapse  for  the  entire  duration  of  u, 
or  time  elapses  to  a  point  at  which  some  local  action  of  A  is  enabled. 

For  a  set  of  state  variables  X,  a  state  x  is  an  element  of  val(X).  We  denote  the 
valuation  of  a  variable  j/  G  X  at  state  x,  by  the  usual  (.)  notation  x.y.  A  transition 
(x,  a,  x')  G  H  is  written  in  short  as  x  — x'  or  as  x  dk  x'  when  A  is  clear  from  the 
context.  An  action  a  is  said  to  enabled  at  x  if  there  exists  x'  such  that  x  x'.  We 
denote  the  components  of  a  SHIOA  A  by  A^,  F4  etc. 

An  execution  of  A  records  the  valuations  of  all  its  variables  and  the  occurrences 
of  all  actions  over  a  particular  run.  An  execution  is  closed  if  it  is  finite  and  the  last 
trajectory  in  it  is  closed. 

An  execution  fragment  of  A  is  a  finite  or  infinite  sequence  a  =  ToaiTia2  ■  ■ 
such  that  for  all  i  in  the  sequence,  G  A,  t  G  trajs{S)  for  some  S  G  and 
Ti.lstate  Ti+i.fstate.  An  execution  fragment  is  an  execution  if  ro.fstate  G  Qo- 
The  first  state  of  a,  a.fstate,  is  ro.fstate,  and  for  a  closed  a,  its  last  state,  a.Istate, 
is  the  last  state  of  its  last  trajectory.  The  limit  time  of  a,  a.Itime,  is  defined  to  be 
Ti.ltime.  The  set  of  executions  and  reachable  states  of  A  are  denoted  by  Execs_4 
and  Reach_4.  A  set  of  states  I  C  Q  is  said  to  be  an  invariant  of  A  iff  Reach^  C  I. 

3.  PERIODICALLY  CONTROLLED  HYBRID  SYSTEMS 

In  this  section,  we  define  a  subclass  of  SHIOAs  that  is  suitable  for  modeling  sampled 
control  systems  and  embedded  systems  with  periodic  sensing  and  actuation.  The 
main  result  of  this  section.  Theorem  3.4,  gives  a  sufficient  condition  for  proving 
invariant  properties  of  this  subclass. 

3.1  Periodically  Controlled  Hybrid  I/O  Automata 

A  Periodically  Controlled  Hybrid  Automaton  (PCHA)  is  an  SHIOA  with  a  set  of 
(control)  actions  that  occur  roughly  periodically.  These  control  actions  alter  the 
actual  control  signal  (input)  that  feeds  to  the  plant  and  may  change  the  continuous 
and  the  discrete  state  variables  of  the  automaton.  The  automaton  may  have  other 
actions  that  change  only  the  discrete  state  of  the  automaton.  These  actions  can 
model,  for  example,  sensor  inputs  and  the  change  in  the  set-point  of  the  controller 
from  higher-level  inputs.  For  the  sake  of  simplicity,  we  consider  the  PCHAs  of  the 
form  shown  in  Figure  1,  however.  Theorem  3.4  generalizes  to  PCHAs  with  other 
input,  output,  and  internal  actions. 

Let  X  C  K",  for  some  n  G  N,  and  £,2,  and  U  be  arbitrary  types.  Four  key 
variables  of  PCHA  A  are 

(a)  continuous  state  variable  s  of  type  A,  initialized  to  sq, 

(b)  discrete  state  (location  or  mode)  variable  loc  of  type  C,  initialized  to  Iq, 


(c)  command  variable  z  of  type  Z,  initialized  to  zq,  and 

(d)  control  variable  u  of  type  U,  initialized  to  uq. 

The  continuous  state  generally  includes  the  continuous  state  of  the  plant  and  some 
internal  state  of  the  controller.  The  discrete  state  represents  the  mode  of  the  system. 
The  command  variable  is  used  to  store  externally  produced  input  commands  or 
sensor  updates.  The  control  variable  stores  the  control  input  to  the  plant.  Finally, 
the  now  and  next  variables  are  used  for  triggering  the  control  action  periodically. 

PCHA  A  has  two  types  of  actions:  (a)  through  input  action  update  A  learns  about 
new  externally  produced  input  commands  such  as  set-points,  waypoints.  When 
an  update(2')  action  occurs,  z'  is  recorded  in  the  command  variable  2.  (b)  The 
control  action  changes  the  control  variable  u.  This  action  occurs  roughly  period¬ 
ically  starting  from  time  0;  the  time  gap  between  two  successive  occurrences  is 
within  [Ai,  Ai  -|-  A2]  where  Ai  >  0  and  A2  >  0.  When  control  occurs,  loc  and  s 
are  computed  as  a  function  of  their  current  values  and  that  of  z,  and  u  is  computed 
as  a  function  of  the  new  values  of  loc  and  s. 

For  each  value  of  /  G  £,  the  continuous  state  s  evolves  according  to  the  trajectories 
specified  by  state  model  smodel{l).  That  is,  s  evolves  according  to  the  differential 
equation  s  =  fi{s,  u).  The  timing  of  control  behavior  is  enforced  by  the  precondition 
of  control  and  the  stopping  condition  of  the  state  models. 


signature  i 

internal  control 

input  update(2'  :  Z)  3 

variables  5 

internal  s  :  sq 

internal  discrete  loc  :  C  Iq,  7 

z  :  Z  Zq,  u  :  U  :=  uq 
internal  now  :  lR>o  :=  0,  9 

next  :  M  :=  — A2 

11 

transitions 

input  update(2^)  13 

eff  z  z 


internal  control  I6 

pre  now  >  next 

eff  next  now  +  Ai;  I8 

{loc,  s  ):—  h{loc,  s,  z); 

u  g{loc,  s)  20 

trajectories  22 

trajdef  smodel{l  :  C) 

invariant  loc  =  I  24 

evolve  d{now)  —  1;  d{s)  —  fi{s,  u) 

stop  when  now  =  next  +  A2  26 


Fig.  1.  PHCA  with  parameters  Ai,  A2,  g,  h,  {fi}i£C-  See,  for  example,  [Mitra  2007]  for 
the  description  of  the  language. 


3.2  Invariant  Verification 

Proving  invariant  properties  of  hybrid  automata  is  a  central  problem  in  formal 
verification.  Invariants  are  used  for  overapproximating  the  reachable  states  of  a 
given  system,  and  therefore,  can  be  used  for  verifying  safety  properties. 

Given  a  candidate  invariant  set  X  C  Q,  we  are  interested  in  verifying  that 
Reachy4  C  X.  For  continuous  dynamical  systems,  checking  the  well-known  subtan- 
gential  condition  (see,  for  example  [Bhatia  and  Szego  1967])  provides  a  sufficient 
condition  for  proving  invariance  of  a  set  X  that  is  bounded  by  a  closed  surface. 
Theorem  3.4  provides  an  analogous  sufficient  condition  for  PCHAs.  In  general, 
however,  invariant  sets  X  for  PCHAs  have  to  be  defined  by  a  collection  of  functions 


instead  of  a  single  function.  For  each  mode  I  G  C,  we  assume  that  the  invariant  set 
Ii  C  X  for  the  continuous  state  is  defined  by  a  collection  of  m  boundary  functions 
{Fik}^=i,  where  m  is  some  natural  number  and  each  Fik  :  df  ^  K  is  a  differentiable 
function^.  Formally, 

//  =  {sG  df  I  VfcG  to},  F/fc(s)  >  0}  and  X  =  {x  G  Ql  x.s  G /x.ioc}- 

Note  that  the  overall  candidate  invariant  set  T  does  not  restrict  the  values  of  the 
command  or  the  control  variables.  In  the  remainder  of  this  section,  we  develop  a  set 
of  sufficient  conditions  for  checking  that  X  is  indeed  an  invariant  of  a  given  PCHA. 
Lemma  3.1  modifies  the  standard  inductive  technique  for  proving  invariance,  so  that 
it  suffices  to  check  invariance  with  respect  to  Control  transitions  and  Control-free 
execution  fragments  of  length  not  greater  than  Aid-  A2. 

Lemma  3.1.  Suppose  Qo  CJ  and  the  following  two  conditions  hold: 

(a)  (Control  steps)  For  each  state  x,x'  G  Q,  if  tc.  “11^^°'  x'  and  x  G  X  then  x'  G  X. 

(b)  (Control-free  fragments)  For  each  closed  execution  fragment  (3  =  tq  update(zi) 
Ti  update(z2)  •  •  •  'Ll  starting  from  a  state  x  G  X  where  each  Zi  G  Z,  if 
x.next  —  x.now  =  Ai  and  /3.ltime  <  Ai  -|-  A2,  then  /d.lstate  G  X. 

Then  Reach_4  C  X. 

Proof.  Consider  any  reachable  state  x  of  A  and  any  execution  a  such  that 
cr.lstate  =  x.  We  can  write  a  as  /3o  control  /3i  control  . . .  /3k,  where  each  Pi  is  control- 
free  execution  fragment  of  A,  i.e.,  execution  fragments  in  which  only  update  actions 
occur.  From  condition  (a),  it  follows  that  for  each  i  G  {0, . . . ,  k},  if  /d^.lstate  G  X, 
then  /3i+i.fstate  G  X. 

Thus,  it  suffices  to  prove  that  for  each  i  G  {0,...,fc},  if  /dj.fstate  G  X,  then 
/3i.lstate  G  X.  We  fix  an  t  G  {0,...,A:}  and  assume  that  /3j.fstate  G  X.  Let  Pi  = 
To  update(2;i)  ti  update(2:2)  •  •  ■  where  for  j  G  {0,...,n},  Zj  G  Z  and  tj  is  a 
trajectory  of  A.  If  i  =  0,  then  /d^.ltime  =  0  and  /d^.lstate  [  {/oc,  s}  =  /3i.fstate  [ 
{loc,  sj  since  the  first  control  action  occurs  at  time  0  and  update  transitions  do  not 
affect  the  value  of  loc  and  s.  Therefore,  /d^.lstate  G  X.  Otherwise,  z  >  0  and  since 
Pi  starts  immediately  after  a  control  action,  /3.fstate  [  next  —  /d.fstate  [  now  =  Ai. 
From  periodicity  of  main  actions,  we  know  that  /d^.ltime  <  Ai  -|- A2,  and  hence  from 
condition  (b)  it  follows  that  /3j.lstate  G  X.  □ 

Invariance  of  control  steps  can  often  be  checked  through  case  analysis  which 
can  be  partially  automated  using  a  theorem  prover  [Owre  et  al.  1996].  The  next 
key  lemma  provides  a  sufficient  condition  for  proving  invariance  of  control-free 
fragments.  Since,  control-free  fragments  do  not  change  the  valuation  of  the  loc 
variable,  for  this  part,  we  fix  a  value  I  G  C.  For  each  index  of  the  boundary 
functions  j  G  {1, . .  .to},  we  define  the  set  dij  to  be  part  of  the  set  p  where  the 
function  Fij  vanishes.  That  is,  dIj  =  {x  G  A  \  Fij{x)  =  0}.  For  the  sake  of  brevity, 
we  call  dij  the  boundary  of  Ii  even  though  strictly  speaking,  the  boundary  of 


®  Identical  size  m  of  the  collections  simplifies  our  notation;  different  number  of  boundary  functions 
for  different  values  of  I  can  be  handled  by  extending  the  theorem  in  an  obvious  way. 


Ii  is  only  a  subset  of  dij  according  to  the  standard  topological  definition.  Similarly, 
we  say  that  the  boundary  of  is  dli  =  Uj6{i  m} 

Lemma  3.2.  Suppose  that  there  exists  a  collection  of  subsets  of  Ii  such 

that  the  following  conditions  hold: 

(a)  (Subtangential)  For  each  sq  G  Ii\  Cj  and  s  G  dIj,  -  •  fiis,g{l,so))  >  0. 

(b)  (Bounded  distance)  3  >  0  such  that  V  sq  G  Cj,  s  G  dij,  ||s  —  so||  >  Cj. 

(c)  (Bounded  speed)  3  6^  >  0  such  that  V  sq  G  Cj,  s  G  Ii,  \\fi{s,  g{l,  so))||  <  bj, 

(d)  (Fast  sampling)  Ai  +  A2  <  min^g^i  p. 

Then,  any  control-/ree  execution  fragment  j3,  with  /J.ltime  <  Ai  +  A2,  starting  from 
a  state  in  Ii  where  next  —  now  =  Ai,  remains  within  Ii. 

In  Figure  2,  the  control  and  control-free  fragments  are  shown  by  bullets  and 
lines,  respectively.  A  fragment  starting  in  T  and  leaving  T,  must  cross  dli  or  dl2- 
Consider  the  following  four  cases. 

(1)  If  u  is  evaluated  outside  both  Ci  and  C2  (e.g.  T2,  T4  and  tq),  then  condition 
(a)  guarantees  that  the  fragment  does  not  cross  dij  where  j  G  {1,2}  because 
when  it  reaches  dij ,  the  vector  field  governing  its  evolution  points  inwards  with 
respect  to  dij. 

(2)  If  u  is  evaluated  inside  Ci  but  outside  C2  (e.g.  ti  and  ry),  then  by  the  previous 
reasoning,  condition  (a)  guarantees  that  the  fragment  does  not  cross  dl2.  In 
addition,  conditions  (b)  and  (c)  guarantee  that  it  takes  finite  time  before  the 
fragment  reaches  dli  and  condition  (d)  guarantees  that  this  finite  time  is  at 
least  Ai  3-  A2;  thus,  before  the  fragment  crosses  dli,  u  is  evaluated  again. 

(3)  If  u  is  evaluated  outside  Ci  but  inside  C2  (e.g.  rs),  then  by  a  symmetric 
argument,  the  fragment  does  not  cross  dli  or  dl2. 

(4)  If  u  is  evaluated  inside  both  Ci  and  C2  (e.g.  T5),  then  conditions  (b),  (c)  and 

(d)  guarantee  that  u  is  evaluated  again  before  fragment  crosses  dli  or  dl2. 

Proof.  We  fix  a  control-free  execution  fragment  (3  =  roupdate(2;i)Tiupdate(z2)  •  •  ■ 
such  that  at  /3.fstate,  next  —  now  =  Ai.  Without  loss  of  generality  we  assume  that 
at  /3.fstate,  z  =  zi,  loc  =  I,  and  s  =  xi,  where  zi  G  Z,l  G  C  and  xi  G  Ii-  We  have 
to  show  that  at  /3.lstate,  s  G  Ii. 

First,  observe  that  for  each  k  G  {0,. . . ,  n},  {xk  {  s)  is  a  solution  of  the  differential 
equation(s)  d{s)  =  //(s,  g{l,  xi)).  Let  r  be  the  pasted  trajectory  . .  t„.^  Let 

T.ltime  be  T.  Since  the  update  action  does  not  change  s,  Tfc.lstate  [  s  =  Tfc+i.fstate  [ 
s  for  each  k  G  {0,...,n  —  1}.  As  the  differential  equations  are  time  invariant, 
(r  {  s)  is  a  solution  of  d{s)  =  fi{s,  g{l,  xi)).  We  define  the  function  7  :  [0,T]  ^  X 
as  y  t  G  [0,r],  7(t)  =  (r  {  s)(t)-  We  have  to  show  that  j(T)  G  h.  Suppose, 
for  the  sake  of  contradiction,  that  there  exists  t*  G  [0,  T],  such  that  j(t*)  ^ 

By  the  definition  of  there  exists  i  such  that  Fii(j(0))  >  0  and  Fii('-f(t*))  <  0. 
We  pick  one  such  i  and  fix  it  for  the  remainder  of  the  proof.  Since  Fu  and  7  are 
continuous,  from  intermediate  value  theorem,  we  know  that  there  exists  a  time  ti 


^Ti  T2  is  the  trajectory  obtained  by  concatenating  T2  at  the  end  of  ri. 


Fig.  2.  A  graphical  explanation  of  Lemma  3.2  showing  an  invariant  set  Ii  defined  by  two  boundary 
functions.  The  boundary  dli  is  drawn  in  solid  line  whereas  the  boundary  dl2  is  drawn  in  dotted 
line.  The  corresponding  sets  Ci  and  C2  are  also  shown. 


before  where  Fu  vanishes  and  that  there  is  some  finite  time  e  >  0  after  ti  when 
Fii  is  strictly  negative.  Formally,  there  exists  ti  G  and  e  >  0  such  that  for  all 

t  G  [0,ti],  >  0,  Fii{j{ti))  =  0,  and  for  all  6  G  (0,e],  Fii{^j{ti  +  (5))  <  0. 

Case  1:  xi  G  //  \  Ci.  Since  Fii{j{ti))  =  0,  by  definition,  7(^1)  G  dC.  But  from 
the  value  of  Fii{'j{t))  where  t  is  near  to  ti,  we  get  that  =  ^^(7(^1))  • 

g{l,xi))  <  0.  This  contradicts  condition  (a). 

Case  2:  xi  G  Ci.  Since  for  all  t  G  Fii{j{t))  >  0  and  Fii{j{ti))  =  0,  we  get 

that  for  all  t  G  [0,  ti],  7(t)  G  //  and  7(^1)  G  dli.  So  from  condition  (b)  and  (c),  we 

get  a  <  ||7(<i)  -  xill  =  fi{^{t),g{l,xi))dt  <  bih.  That  is,  h  >  fj.  But  we 
know  that  ti  <  t*  <  T  and  periodicity  of  Control  actions  T  <  Ai  +  A2.  Combining 

these,  we  get  Ai  +  A2  >  which  contradicts  condition  (d).  □ 

For  PCHAs  with  certain  properties,  the  following  lemma  provides  sufficient  con¬ 
ditions  for  the  existence  of  the  bounds  bj  and  Cj  which  satisfy  the  bounded  distance 
and  bounded  speed  conditions  of  Lemma  3.2. 

Lemma  3.3.  For  a  given  I  G  L,  let  Ui  =  {g{l,  s)  \  I  G  C,  s  G  Ii}  C  U  and  suppose  Ii 
is  compact  and  fi  is  continuous  in  Ii  xUi.  The  bounded  distance  and  bounded  speed 
conditions  (of  Lemma  3.2)  are  satisfied  ifCj  C  Ii  satisfies  the  following  conditions: 

Cj  is  closed  (1) 

Cj  n  di,  =  0  (2) 

Proof.  From  the  continuity  of  Fij,  we  can  assume,  without  loss  of  generality, 
that  dij  yf  0.  This  is  because  if  dlj  =  0,  then  for  all  s  G  T,  it  must  be  either 
Fij{s)  >  0  or  Fij{s)  <  0,  that  is,  Fy  is  not  needed  to  describe  In  addition,  the 
case  where  Cj  =  0  is  trivial  since  conditions  (b)  and  (c)  of  Lemma  3.2  are  satisfied 
for  any  arbitrary  large  Cj  and  arbitrary  small  bj.  So  for  the  rest  of  the  proof,  we 
assume  that  dlj  yf  0  and  Cj  yf  0.  Since  Ii  is  compact  and  Cj  and  dlj  are  closed, 


Cj  and  dij  are  also  compact.  Consider  a  function  Gj  :  dlj  K  defined  by 

Gj{s)  =  min  ||s-so||, 

soGCj 

where  ||  •  ||  is  a  norm  on  K”.  Due  to  the  continuity  of  ||  •  ||  and  the  compactness  and 
nonemptyness  of  Cj,  Gj  is  continuous  and  since  Cj  n  dlj  =  0,  we  get  that  for  all 
s  G  dIj,Gj{s)  >  0.  Since  dlj  is  compact  and  nonempty,  Gj  attains  its  minimum 
in  dlj.  So  there  exists  Cj  >  0  such  that  miugga/^.  Gj{s)  >  Cj. 

Next,  consider  a  function  Hj  :  ^  K  defined  by 

Hj{s)  =  max  ||//(s,  so))|| . 

so£Cj 

Using  the  continuity  of  /;,  the  compactness  and  nonemptyness  of  Gj  and  //  and 
the  same  argument  as  above,  we  can  conclude  that  there  exists  bj  >  0  such  that 
maxsg/,  Hj{s)  <bj.  □ 

Theorem  3.4  combines  the  above  lemmas  and  provides  sufficient  conditions  for 
invariance  of  2. 

Theorem  3.4.  Consider  a  PCHA  A  and  a  set  I  C  Qjj.  Suppose  Qoj\  C  X, 
A  satisfies  control  invariance  condition  of  Lemma  3.1,  and  conditions  (a)-(d)  of 
Lemma  3.2  for  each  I  G  Lj\.  Then  Reach_4  C  X. 

Proof.  The  proof  follows  directly  from  Lemma  3.1  and  Lemma  3.2  since  if 
conditions  (a)-(d)  of  Lemma  3.2  are  satisfied  for  any  I  G  C,  then  condition  (b)  of 
Lemma  3.1  is  satisfied.  □ 

Although  the  PCHA  of  Figure  1  has  one  action  of  each  type.  Theorem  3.4  can 
be  extended  for  periodically  controlled  hybrid  systems  with  arbitrary  number  of 
input  and  internal  actions.  For  PCHAs  with  polynomial  vector-fields,  given  the 
semi-algebraic  sets  7/  and  Cj,  checking  condition  (a)  and  finding  Cj  and  bj  that 
satisfy  conditions  (b)  and  (c)  of  Lemma  3.2  can  be  formulated  as  a  sum  of  squares 
optimization  problem  (provided  that  7/  and  Cj  are  basic  semi-algebraic  sets)  or 
proving  emptiness  of  some  certain  semi-algebraic  sets  based  on  quantifier  elimina¬ 
tion.  The  sum  of  squares  formulation  is  presented  in  the  next  section  and  allows 
the  proof  to  be  automated  using,  for  example,  SOSTOOLS  [Prajna  et  al.  2002]. 
The  quantifier  elimination  problem  can  also  be  formulated  and  allows  the  proof 
to  be  automated  using,  for  example,  QEPCAD  [Brown  2003].  Alternatively,  in 
Section  3.4,  we  show  how  an  invariant  set  can  be  automatically  computed  using  the 
constraint-based  approach  presented  in  [Gulwani  and  Tiwari  2008]. 

3.3  Sum  of  Squares  Formulation  for  Checking  the  Invariant  Conditions 

Suppose  the  candidate  invariant  set  7/  is  a  basic  semi-algebraic  set,  i.e.,  each  of  the 
boundary  functions  7]^  :  A  — >  M  is  a  real  polynomial.  This  section  presents  a  sum 
of  squares  formulation  for  the  following  two  cases:  (1)  checking  condition  (a)  and 
finding  the  Cj  and  bj  that  satisfy  conditions  (b)  and  (c)  of  Lemma  3.2  for  a  given 
basic  semi-algebraic  subset  Cj,  and  (2)  finding  a  subset  Cj  such  that  conditions 
(a)-(c)  of  Lemma  3.2  are  satisfied.  For  the  first  case,  the  sum  of  squares  problem  is 
convex  and  can  be  solved  using,  for  example,  SOSTOOLS  [Prajna  et  al.  2002].  For 
the  second  case,  however,  the  problem  is  not  convex  but  can  still  be  automatically 
solved  using  an  iterative  scheme  as  presented  in  [Prajna  and  Jadbabaie  2004]. 


Checking  Invariant  Condition  for  a  Given  Subset 

Suppose  Cj  a  basic  semi-algebraic  set,  that  is,  there  exists  a  natural  number  p  such 
that  Cj  can  be  written  as 

Cj  =  {s  G  Ii  I  Vf  G  {1, . . . , p},  Gji{s)  >  0}  (3) 

where  Gji  :  A”  ^  K  is  a  real  polynomial  for  each  i  G  p}.  Then  the  set 

Ii  \  Cj  =  //  n  Cj  is  given  by 

Ii\C,={sGX\  (Fa(s)  >  0  n . . .  n  >  0  n  G,1  <  0)  u 

{Fii{s)  >  0  n . . .  n  >  0  n  Gj2  <  0)  u . . . u  (4) 

{Fii{s)  >  0  n . . .  n  >  0  n  Gjp  <  0)} 

The  following  provides  a  sufficient  condition  for  condition  (a)  of  Lemma  3.2. 

For  each  k  G  {l,...,p},  there  exist  sums  of  squares  /ifc(s),  pk,i{s)  and  ak,i(s)  for 
i  €  {1, . . . , m}  and  a  polynomial  such  that 

dF'i  (s)  ^  ^ 

E  Pk,i{s)Fli{C  i'kOFij{s)  E  (rk,iCo)Fu{sQ)  +  PkCo)Gjk{SQ) 

i=l  i=l 

is  a  sum  of  squares. 

Condition  (b)  of  Lemma  3.2  can  be  formulated  as  the  following  optimization 
problem. 

Minimize  —cj  such  that  there  exist  sums  of  squares  7i(s)  for  i  £  {1, . . . ,  m}  and  Xi{s) 
for  i  G  {1, . .  .p}  and  a  polynomial  7m+i(s)  such  that 

m  p 

||s  -  solP  -  -  lm+l(s)Fij{s)  -  y^^Xi(so)Gji{so) 

i=l  i=l 

is  a  sum  of  squares. 

Finally,  condition  (c)  of  Lemma  3.2  can  be  formulated  as  the  following  optimiza¬ 
tion  problem. 

Minimize  bj  such  that  there  exist  sums  of  squares  for  *  {li  •  •  •  and  pi{s) 
for  i  G  {1, . .  .p}  such  that 

m  p 

b'j  -  \\flis,gil,so)\\‘^  -  -'^Vi{so)Gji{so) 

i=l  i=l 

is  a  sum  of  squares. 


Finding  a  Subset  for  Checking  the  Invariant  Conditions 

Suppose  Cj  =  {s  G  Ii  \  Gj{s)  >0}.  In  this  case,  we  only  have  to  find  a  poly¬ 
nomial  Gj{s).  This  problem  can  be  formulated  as  follows:  Find  sums  of  squares 
77i(s), . . .  ,?74(s),  P*(s),  cri(s),  7i(s),  Ki{s)  and  Ci(s)  for  f  G  {1, . . .  ,m}  and  polyno¬ 
mials  Gj{s),  ^{s)  and  7m+i(s)  such  that  the  followings  are  sums  of  squares 

(a)  Fij{s)  -  r]i{s)Gj{s) 

(b)  ^  + 

V2{so)Gj{so), 


(c)  l|s-so|p-Cj-Elli  7*(s)-Fi*(s)-7m+i(s)-Fij(s)-El!li  K^{so)Fli{so)-V3{so)Gj{so), 
and 

(d)  b]  -  \\Ms,g{l,  so)f  -  Eti  as)Fuis)  -  miso)G,iso). 

3.4  Example 

Consider  a  one-dimensional  system  whose  the  continuous  state  needs  to  be  regulated 
such  that  it  stays  within  a  certain  safety  region.  The  system  has  the  following 
variables: 


(a)  a  continuous  state  variable  s  of  type  K,  initialized  to  sq  G  [D  —  6,D  +  <5]  where 
Z?  G  M  is  a  system  parameter  and  5  G  K>o  is  an  arbitrary  uncertainty  in  the 
initial  state  of  the  system, 

(b)  a  discrete  state  variable  loc  of  type  £  =  {0, 1}, 

(c)  a  control  variable  u  of  type  U  =  {01,02}  where  oi  G  K_  and  02  G  K+  are 
system  parameters. 

Figure  3  shows  the  SHIOA  specification  of  this  state  regulator  system.  The 
control  action  occurs  once  every  A  time  starting  from  time  0  where  A  G  K+.  This 
action  updates  the  values  of  the  variables  loc  and  u  based  on  the  system  parameter 
D  as  follows. 


A.  If  s  >  D,  then  loc  is  set  to  1  (line  16).  Otherwise,  loc  is  set  to  0  (line  17). 
That  is,  the  function  h  of  line  19  of  Figure  1  which  updates  loc  and  s  is  defined 
as  h  =  {hi,hs)  where  hi  and  hg  describe  the  discrete  transition  of  loc  and  s 
respectively  and 


hs{loc,s,z)  =  s, 

(5) 

f  0 

if  s  <  ZZ 

hi(loc,s,z)  =  < 

(6) 

otherwise 

B.  Based  on  the  updated  value  of  loc,  u  is  computed  using  function  g  of  line  20  of 
Figure  1  which  is  defined  as  follows  (lines  18-19): 


g{loc,s) 


ai  if  loc  =  1 
02  otherwise 


(7) 


Along  a  trajectory,  the  continuous  state  s  evolves  according  to  the  differential 
equation  s  =  u  (line  22).  That  is,  for  any  I  G  £,  the  function  /;  of  line  25  of  Figure  1 
is  defined  as  fi{s,u)  =  u. 

Invariant.  For  each  mode  /  G  £,  we  let  //  =  [£>— max(5,  — oiA),  D-f  max((5,  02A)]. 
That  is,  the  candidate  invariant  set  //  is  defined  by  two  boundary  functions 

Fji(s)  =  s  —  Z? -I- max(5,  — oiA),  and  Z^/2(s)  =  — s  +  -I- max((f,  a2A).  (8) 

The  overall  candidate  invariant  set  is  then  given  by  X  =  (x  G  (5|  F/i(x.s)  > 
0  and  Fi2{yi.s)  >  0}. 


signature 

internal  control 

1 

transitions 

internal  control 

12 

input  update(2^  :  Z) 

3 

pre  now  >  next 
eff  next  now  +  A; 

14 

variables 

internal  s  :  M  sq  G  [D  —  (5,  Z)  +  5] 

5 

if  s  >  D  then  loc  1 

else  loc  0  fi 

16 

internal  discrete  loc  :  {0,  1}, 
u  :  {ai,a2} 

7 

if  loc  =  1  then  u  ;=  ai 
else  u  02  fi 

18 

internal  now  :  lR>o  :=  0, 
next  :  M>o  0 

9 

trajectories 

20 

evolve  d{now)  —  1;  d{s)  =  u 
stop  when  now  —  next 

22 

Fig.  3.  The  state  regulator  system  with  parameters  ai  £  R_,  02  G  R+,  A  £  R+,  S  £  R>o 
and  D  £  R. 

Proving  Invariant.  We  use  Theorem  3.4  to  show  that  I  is  in  fact  an  invariant  of 
the  system.  Clearly,  the  initial  state  is  contained  in  I  and  the  control  invariance 
condition  of  Lemma  3.1  is  satisfied  since  control  actions  do  not  change  the  value 
of  s.  Thus,  we  only  need  to  show  that  there  exist  subsets  Ci  and  C2  of  //  such 
that  conditions  (a)-(d)  of  Lemma  3.2  are  satisfied.  It  can  be  easily  verified  that 
with  Cl  =  [C,  C  +  max(5,  a2A)]  and  C2  =  [D  —  max(5,  — oiA),  C],  we  get  ci  = 
max(5,  — oiA),  C2  =  max((5,  a2A),  bi  =  —ai,  62  =  02,  and  conditions  (a)-(d)  of 
Lemma  3.2  are  satisfied. 

Automatically  Finding  an  Invariant.  We  consider  the  case  where  oi  =  —  1  and 
02  =  1.  Assume  that  an  invariant  7/  for  both  modes  I  =  0  and  I  =  1  has  the 
following  form:  7/  =  {s  £  M  |  7/i(s)  >  0  and  F/2(s)  >  0}  where  Fii{s)  =  s  —  rji, 
Fi2{s)  =  —s  +  ri2  and  r/i  >  D  —  6  and  772  >  D  +  6  are  constants  that  need  to  be 
computed  such  that  all  the  conditions  of  Lemma  3.2  are  satisfied. 

To  prove  that  7/  is  in  fact  an  invariant,  we  use  the  sets  Ci  and  C2  of  the  following 
forms:  Ci  =  {s  G  K  |  Gi(s)  >  0  and  F/2(s)  >  0}  and  C2  =  {s  G  K  |  7]i(s)  > 
0  and  G2(s)  >  0}  where  Gi(s)  =  s  —  ki,  G2(s)  =  —s  +  K2  and  ki  and  K2  are 
constants  to  be  determined. 

Clearly,  for  any  s,  so  G  M  and  I  G  £,  ||//(s,  6f(/,  so))||  =  50)11  =  1-  Thus, 

condition  (c)  of  Lemma  3.2  is  satisfied  with  bj  =  1  for  any  sets  Cj  and  7;.  With  the 

particular  form  of  the  sets  Gi,  C2  and  7/  we  have  previously  chosen,  it  can  be  easily 
checked  that  the  problem  of  finding  rji,  772,  ki  and  K2  such  that  all  the  conditions 
of  Lemma  3.2  are  satisfied  for  j  =  1  is  equivalent  to  finding  771,  772,  ki  and  K2  such 
that  for  all  s,  sq  G  M,  the  followings  are  satisfied: 

(a)  (Gn(so)  <  0)  V  (Gz2(so)  <  0)  V  (Gi(so)  >  0)  V  (Fa(s)  ^  0)  V  {Fi2{s)  < 

0)  V  (so  <  D) 

(b)  Ki  <  772 

(c)  Ki  >  Tji 

(d)  Ki  -  ?7i  >  A 

Similarly,  for  j  =  2,  the  following  conditions  need  to  be  satisfied  for  all  s,  sq  G  R: 

(e)  (Fa (so)  <  0)  V  (Fz2(so)  <  0)  V  (G2(so)  >  0)  V  (Fa(s)  <  0)  V  {Fnis)  ^ 

0)  V  (so  >  D) 

(f)  K2  >  rji 


(g)  k2  <  m 

(h)  r]2  —  K2>  A 

As  described  in  [Gulwani  and  Tiwari  2008],  the  validity  of  condition  (a)  can  be 
proved  by  finding  a  constant  Ai  and  non-negative  constants  i/i, . . .  ,1^3  and  /xi, . . . ,  /rs 
such  that 

t^iFiiiso)  +  V2Fi2{so)  -  /xiGi(so)  +  \iFii{s)  +  V3Fi2{s)  +  ^i2{s3  -  £))  -I-/X3  =  0  (9) 

and  at  least  one  of  the  /ii,/X2,/i3  is  strictly  positive.  Similarly,  the  validity  of 
condition  (e)  can  be  proved  by  finding  a  constant  A2  and  non-negative  constants 
1^4, ...  and  /X4, /X5  such  that 

i^4Fii{so)  +  v^Fniso)  —  /X4G2(so)  +  vqFii{s)  +  \2Fi2{s)  +  1^7(0  —  sq)  +  ^15  =  0  (10) 
and  either  ^4  >  0  or  /X5  >  0  (or  both). 

Using  the  tool  presented  in  [Gulwani  and  Tiwari  2008],  the  unknowns  that  satisfy 
(9),  (10)  and  conditions  (b)-(d)  and  (f)-(h)  are  found  for  £>  =  1,  5  =  0.1  and 
A  =  0.1  to  be:  rji  =  0.8,  772  =  1.2,  ki  =  0.9,  K2  =  1-1,  I'l  =  I,  1^2  =  2,  =  16, 

Ai  =  0,  7x3  =  0,  /i2  =  17)  /43  =  1)  =  0,  7x5  =  0,  114  =  20,  vq  =  0,  A2  =  0, 

1^7  =  20  and  /is  =  2.  That  is,  the  invariant  set  is  given  by  //  =  [0.8, 1.2]  (whereas 
the  invariant  set  we  have  verified  manually  is  given  by  //  =  [0.9, 1.1]). 

4.  AUTONOMOUS  VEHICLE  SYSTEM 

In  this  section,  we  describe  a  subsystem  of  an  autonomous  ground  vehicle  (Alice) 
consisting  of  the  physical  vehicle  and  the  controller  (see.  Figure  4(a)).  Vehicle  cap¬ 
tures  its  the  position,  orientation,  and  the  velocity  of  the  vehicle  on  the  plane. 
Controller  receives  information  about  the  state  of  the  vehicle  and  periodically  com¬ 
putes  the  input  steering  {(j>)  and  the  acceleration  (a).  Controller  also  receives  an 
infinite®  sequence  of  waypoints  from  a  Planner  and  its  objective  is  to  compute  a 
and  (j)  such  that  the  vehicle  (a)  remains  within  a  certain  bounded  distance  Cmax  of 
the  planned  path,  and  (b)  makes  progress  towards  successive  waypoints  at  a  target 
speed.  Property  (a)  together  with  the  assumption  (possibly  guaranteed  by  Planner) 
that  all  planned  paths  are  at  least  Cmax  distance  away  from  obstacles,  imply  that  the 
Vehicle  does  not  collide  with  obstacles.  While  the  Vehicle  makes  progress  towards  a 
certain  waypoint,  the  subsequent  waypoints  may  change  owing  to  the  discovery  of 
new  obstacles,  short-cuts,  and  changes  in  the  mission  plan.  Finally,  the  Controller 
may  receive  an  externally  triggered  brake  input,  to  which  it  must  react  by  slowing 
the  vehicle  down. 

4.1  Vehicle 

The  Vehicle  automaton  of  Figure  4  specifies  the  dynamics  of  the  autonomous  ground 
vehicle  with  acceleration  (a)  and  steering  angle  {(j))  as  inputs.  It  has  two  parameters: 
(a)  (pmax  G  (0,  f  ]  is  the  physical  limit  on  the  steering  angle,  and  (b)  L  is  the 
wheelbase.  The  main  output  variables  of  Vehicle  are  (a)  x  and  y  coordinates  of  the 
vehicle  with  respect  to  a  global  coordinate  system,  (b)  orientation  6  of  the  vehicle 


®The  verification  technique  can  be  extended  in  an  obvious  way  to  handle  the  case  where  the  vehicle 
has  to  follow  a  finite  sequence  of  waypoints  and  halt  at  the  end. 


Planner  Q 


Vehicle 


Vehicle 

(a)  (b) 

variables 

output  2;:]R:=  xq\  y:M:—  yo;  2 

■wrlR:—  vq 

input  a,  0:  R  4 

trajectories  6 

evolve  d{x)  —  v  cos(@) 

d{y)  =  V  sin.(0)  8 

if  \u.(p\  <  (pmax 

then  d{9)  —  ta.n{4>)  10 

else  d{9)  —  tan{-^  tprnax)  h 

ift'>0Va>0  12 

then  d{v)  —  a 

else  d{v)  =  0  fi  14 


(c) 

Fig.  4.  (a)  Planner-Controller  system,  (b)  Deviation  &  disorientation,  (c)  Vehicle. 

with  respect  to  the  positive  direction  of  the  x  axis,  and  (c)  vehicle’s  velocity  v. 
These  variables  evolve  according  to  the  differential  equations  of  lines  7-14.  Two 
aspects  of  this  Vehicle  model  are  noteworthy: 

(i)  In  determining  the  orientation  of  the  vehicle,  if  the  input  steering  angle  (j) 
is  greater  than  the  maximum  limit  (l)max  then  the  maximum  steering  in  the 
correct  direction  is  applied. 

(ii)  The  acceleration  can  be  negative  only  if  the  velocity  is  positive,  and  therefore 
the  vehicle  cannot  move  backwards. 

This  vehicle  model  requires  bounds  on  minimum  and  maximum  acceleration,  how¬ 
ever,  the  controller  ensures  that  the  input  acceleration  is  always  within  such  a 
bound. 

4.2  Controller 

Figure  5  shows  the  SHIOA  specification  of  the  Controller  automaton  that  reads 
the  state  of  the  Vehicle  periodically  and  issues  acceleration  and  steering  outputs  to 
achieve  the  aforementioned  goals. 

Controller  is  parameterized  by:  (a)  the  sampling  period  A  G  1R+  ,  (b)  the  target 
speed  vt  G  R>0)  (c)  proportional  control  gains  ki,k2  >  0,  (d)  a  constant  5  >  0 
relating  the  maximum  steering  angle  and  the  speed,  (e)  maximum  and  braking 
accelerations  Umax  >  0  and  abrake  <  0.  Restricting  the  maximum  steering  angle 
instead  of  the  maximum  steering  rate  is  a  simplifying  but  conservative  assumption. 


Given  a  constant  relating  the  maximum  steering  rate  and  the  speed,  there  exists 

S  as  defined  above  that  guarantees  that  the  maximum  steering  rate  requirement  is 

satisfied. 

A  path  is  an  infinite  sequence  of  points  pi,p2,  ■  ■  ■  where  pi  G  for  each  i.  The 

main  state  variables  of  Controller  are  the  following: 

(a)  brake  and  newjpath  are  command  variables  that  store  the  information  received 
through  the  most  recent  brake  (On  or  Off)  and  plan  (a  path)  actions. 

(b)  path  is  the  current  path  being  followed  by  Controller, 

(c)  seg  is  the  index  of  the  last  waypoint  visited  in  the  current  path.  That  is,  seg  + 1 
is  the  index  of  the  current  waypoint.  The  straight  line  joining  path[seg\  and 
path[seg  +  f]  is  called  the  current  segment. 

(d)  deviation  ei  is  the  signed  perpendicular  distance  from  the  current  position  of 
the  vehicle  to  the  current  segment  (see.  Figure  4(b)). 

(e)  disorientation  62  is  the  difference  between  the  current  orientation  of  the  vehicle 
(0)  and  the  angle  of  the  current  segment. 

(f)  waypoint-distance  d  is  the  signed  distance  of  the  vehicle  to  the  current  waypoint 
measured  parallel  to  the  current  segment. 


signature 

input  plan(p:Seq[]R^);  brake(b  :  On,  Of  f)  2 

internal  main 

4 

variables 

input  x,y,0,v:  M  6 

output  a,  (p:  ]R  (0,  0) 
internal  brake:  {On,  OjJ}  Off  8 

path:  Seq[lR^]  :=  arbitrary 
newjpath:  Seq[R^]  :=  path  10 

seg:  N  1 

ei,e2,d:R:=  €2,0,  do]  12 

now:  IR  :=  0;  next-M>o  0 

14 

transitions 

input  plan(p)  I6 

eff  newjpath  p 

18 

input  brake(6) 

eff  brake  :=  b  20 

internal  main  22 

pre  now  —  next 

eff  next  now  +  A  24 

if  path  ^  newjpath  V  d  <  0  then 

if  path  ^  newjpath  26 

then  seg  :—  1;  path  :—  newjpath 
elseif  d  <  0  28 

then  seg  :—  seg  +  1  fi 


_  path[seg l].x  —  path[seg].x 
let  p  — 

path[seg  +  l].y  —  path[seg].y 
path[seg  +  l].y  —  path[seg].y 

Q  — 

—  {path[seg  +  l].rr  —  path[seg].x) 

_  path[seg  +  Ij.tc  —  x 
r  — 

_  path[seg  +  l].y  -  y)  _ 

62  :=  S  —  Zp 

fi 

let  4>d  —  — fci  €1  —  k2  62 

^ 

if  brake  —  On  then  a  :—  aij^ake 
elseif  brake  —  Off  A  v  <  vt 
then  a  amax 
else  a  :—  0  fi 

trajectories 

evolve  d{now)  —  1 
d(ei)  =  V  sin(e2) 
d{e2)  —  tan(0) 

d{d)  —  -V  cos(e2) 

stop  when  now  —  next 


30 
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48 

50 


Fig.  5.  Controller  with  parameters  vt,  ki,  k2  €  R>o,  <5,  A  G  R+  and  abrake  <  0. 

The  brake(&)  action  is  an  externally  controlled  input  action  that  informs  the 
Controller  about  the  application  of  an  external  brake  {b  =  On)  or  the  removal  of 
the  brake  {b  =  Off).  When  brake(6)  occurs,  b  is  recorded  in  the  command  variable 


brake.  The  plan(p)  action  is  controlled  by  the  external  Planner  (not  presented  in 
this  paper)  and  it  informs  the  Controller  about  a  newly  planned  path  p.  When  this 
action  occurs,  the  path  p  is  recorded  in  the  variable  new -path.  The  main  action 
occurs  once  every  A  time  starting  from  time  0.  This  action  updates  the  values  of 
the  variables  ei,  e2,  d,path,  seg,  a  and  (j>  as  follows: 

A.  If  newjpath  (obtained  from  the  planner)  is  different  from  path  then  seg  is  set  to 
1  and  path  is  set  to  new -path  (line  27). 

B.  If  new -path  is  the  same  as  path  and  the  waypoint-distance  d  is  less  than  or  equal 
to  0,  then  seg  is  set  to  seg  +  1  (line  29). 

C.  For  both  of  the  above  cases  several  temporary  variables  are  computed  that  are 
in  turn  used  to  update  ei,e2,d  as  specified  in  Lines  33-35;  otherwise  these 
variables  remain  unchanged. 

D.  The  steering  output  to  the  vehicle  (j)  is  computed  using  a  proportional  control 
law  and  it  is  restricted  to  be  at  most  6  times  the  velocity  of  the  vehicle  for  the 
mechanical  protection  of  the  steering.  That  is,  the  magnitude  of  the  steering 
output  (j)  is  set  to  the  minimum  of  |  —  fciCi  —  ^262!  and  v  x  S  (line  39). 

E.  The  acceleration  output  a  is  computed  using  bang  bang  control  law.  If  brake  is 
On  then  a  is  set  to  the  braking  deceleration  asrake',  otherwise,  it  executes  Umax 
until  the  vehicle  reaches  the  target  speed,  at  which  point  a  is  set  to  0. 

Along  a  trajectory,  the  evolution  of  the  variables  are  specified  by  the  differential 
equations  on  lines  48-50.  These  differential  equations  are  derived  from  the  update 
rules  described  above  and  the  differential  equations  governing  the  evolution  of  x,  y,  9 
and  V. 

4.3  Complete  System 

Let  A  be  the  composition  of  the  Controller  and  the  Vehicle  automata.  The  contin¬ 
uous  state  of  A  is  defined  by  the  valuations  of  x,y,6,v,ei,e2,  and  d  of  Vehicle 
and  Controller.  For  convenience,  we  define  a  single  derived  variable  s  of  type 
A  =  encapsulating  all  these  variables.  The  discrete  state  of  A  is  defined  by 
the  valuations  of  brake, path  and  seg  of  Controller.  A  derived  variable  loc  of  type 
C  —  Tuple[{  On,  Off},  Seq[]R^],  N]  is  defined  encapsulating  all  these  variables.  It  can 
be  checked  easily  that  the  composed  automaton  A  is  a  PCHA.  Appendix  A  describes 
the  variables,  actions,  state  transition  functions  of  the  corresponding  PCHA. 

5.  ANALYSIS  OF  THE  SYSTEM 

Overview.  The  informally  stated  goals  of  the  system  translate  to  the  following 
subgoals: 

A.  (safety)  At  all  reachable  states  of  A,  the  deviation  (ei)  of  the  vehicle  is  upper- 
bounded  by  Cmax,  where  Cmax  is  determined  in  terms  of  system  parameters. 

B.  (segment  progress )  There  exist  certain  threshold  values  of  deviation,  disorienta¬ 
tion,  and  waypoint-distance  such  that  from  any  state  x  with  greater  deviation, 
disorientation  and  waypoint-distance,  the  vehicle  reduces  its  deviation  and  dis¬ 
orientation  with  respect  to  the  current  segment,  while  making  progress  towards 
its  current  waypoint. 


C.  {waypoint  progress )  The  vehicle  reaches  successive  waypoints. 

First,  in  Sections  5.1  and  5.2,  we  define  a  family  {Xfe}fcgN  of  subsets  of  Q.4  and  using 
Lemma  3.2  and  Lemma  3.3,  we  conclude  that  they  are  invariant  with  respect  to 
the  control-free  execution  fragments  of  A.  From  the  specification  of  main  action,  we 
see  that  the  continuous  state  changes  only  occur  if  path  yf  newjpath  or  waypoint- 
distance  d  <  0.  Hence,  using  Theorem  3.4,  we  conclude  that  any  execution  fragment 
starting  in  Xk  remains  within  Xk,  provided  that  path  and  current  segment  do  not 
change. 

In  Section  5.3,  we  establish  the  segment  progress  property  (B)  by  showing  that 
starting  from  Xk,  Xfc+i  is  reached  in  a  finite  amount  of  time  and  for  k  smaller  than 
the  threshold  value  /c*,  X^+i  is  strictly  contained  in  X^.  Finally,  in  Section  5.4, 
we  prove  an  invariance  of  Xq  and  derive  geometric  properties  of  planner  paths  that 
can  be  followed  by  A  safely.  These  geometric  properties  specify  the  minimum 
length  of  a  path  segment  and  the  relationship  between  the  segment  length  and  the 
maximum  difference  between  consecutive  segment  orientations  and  are  derived  from 
the  segment  progress  property.  An  invariance  of  Xq  provides  a  proof  certificate  that 
A  satisfies  the  safety  property  (A)  and  the  waypoint  progress  property  (C). 

5.1  Family  of  Invariants 

We  define,  for  each  fc  S  N,  the  set  Xfc  that  bounds  the  deviation  of  the  vehicle  ei 
to  be  within  [— efe,efc].  This  bound  on  deviation  alone,  of  course,  does  not  give  us 
an  inductive  invariant.  If  the  deviation  is  Cfc  and  the  vehicle  is  highly  disoriented, 
then  it  would  violate  X^.  Thus,  X^  also  bounds  the  disorientation  such  that  the 
steering  angle  computed  based  on  the  proportional  control  law  is  within  [— ^fc,  (f^k]- 
To  prevent  the  vehicle  from  not  being  able  to  turn  at  low  speed  and  to  guarantee 
that  the  execution  speed  of  the  controller  is  fast  enough  with  respect  to  the  speed 
of  the  vehicle,  Xfc  also  bounds  the  speed  of  the  vehicle.  Xfc  is  defined  in  terms  of 


Xfc  =  {xG  g  1  Vi  G  {!,. 

.  .6},Xfc,i(x.s)  >  0} 

(11) 

where  Fkp, . . . ,  Fkfi  :  ^  R  are  defined 

as  follows: 

Fkp{s)  =  Cfc  -  s.ei; 

Xfc, 2(5)  =  Efe  +  s.ei; 

(12) 

Fk,d,{s)  =  (t>k  +  kis.ei  +  ^25.62; 

Xfc, 4(5)  =  (j)k-  kis.ei  -  k2S.e2; 

(13) 

Fk,b{^{  ~  'k^max  S.V] 

Fk,e{s)  =  Ss.v  -  4>b. 

(14) 

Here  Vmax  =  vt  +  ^Omax  and  (/){,>  0  is  an  arbitrary  constant.  As  we  shall  see 
shortly,  the  choice  of  (pb  affects  the  minimum  speed  of  the  vehicle  and  also  the 
requirements  of  a  brake  action.  We  examine  a  state  x  G  Xfc,  that  is,  Ffc_j(x.s)  >  0  for 
any  i  G  {1,...6}.  J^fc.i(s),  X'fe,2(s)  >  0  means  s.Ci  G  [-efe,efc].  Ffc_3(s),  Ffc,4(s)  >  0 
means  that  the  steering  angle  computed  based  on  the  proportional  control  law  is  in 
the  range  [—/pk,  4>k\-  Further,  if  (j)k  <  (j>max,  then  the  computed  steering  satisfies  the 
physical  constraint  of  the  vehicle.  If,  in  addition,  we  have  (j)b  >  (jik  and  Fkfi{s)  >  0, 
then  the  vehicle  actually  executes  the  computed  steering  command.  Fk,b{s)  >  0 
means  that  the  speed  of  the  vehicle  is  at  most  Vmax-  The  sets  Xfc,  projected  onto 
the  (61,62)  plane,  for  different  values  of  the  parameters  Cfc  and  4>k  are  shown  in 
Figure  6. 


Fig.  6.  The  set  for  different  values  of  and  0^,  projected  onto  the  ei,e2  plane. 


For  each  fc  G  N,  we  define 


^fe,i  =  T-Cfc  —  -;—4’k 

k2  k2 

^fe.2  =  +  '7~4’k 

k2  k2 


(15) 

(16) 


That  is,  9k,i  and  9k^2  are  the  values  of  62  at  which  the  proportional  control  law 
yields  the  steering  angle  of  (j)k  and  —(j)k  respectively,  given  that  the  value  of  Ci  is 
— Cfc.  From  the  above  definitions,  we  make  the  following  observations  about  the 
boundary  of  the  Xk  sets:  for  any  k  gN  and  x  G 


(a)  x.e2  G  [-9k,2,dk,2], 

(b)  Ffc^i(x.s)  =  0  implies  x.e2  G  [-Ok, 2,  -Ok,i], 

(c)  Ffc_2(x.s)  =  0  implies  x.e2  G  [Ok, 1, Ok, 2], 

(d)  Fk,3{x.s)  =  0  implies  x.e2  G  [-6*^,2,  and 

(e)  Fk,4{x.s)  =  0  implies  x.e2  G  [-0k,i,0k,2]- 

We  assume  that  <j)b  and  all  the  e'f.s  and  (j)kS  satisfy  the  following  assumptions 
that  are  derived  from  physical  and  design  constraints  on  the  controller.  The  region 
in  the  4>kXk  plane  that  satisfies  Assumption  5.1  is  shown  Figure  7. 


Assumption  5.1.  (Vehicle  and  controller  design) 

(a)  (l>k  <4'b<  (l>max  and  (j)k  <  ^ 

(b)  0  <  Ok, I  <  Ok, 2  <  f 

(c)  L  cot  4>k  sin  Ok, 2  < 

(d)  A  <  f  where  c  =  —^^^{(j)k  -  $),  b  =  Vmax\J sin^  Ok, 2  +  and  ^  = 

eot-i  ( _ ^ ^  6 

\kiLsinek,2  )■ 

/  N  tan^fc  A  <  - 
2L  ^max^  _  2 


Using  Assumption  5.1(c),  it  can  be  shown  that  ^  so  ^  >  0. 


Fig.  7.  (a)  The  set  of  (e^,  tpk)  which  satisfies  Assumptions  5.1  (c)  and  (d)  and  are  represented  by 
the  green  region,  (b)  The  relationship  between  the  maximum  bound  on  A  and  for  ej.  = 


If  the  vehicle  is  forced  to  slow  down  too  much  at  the  boundary  of  an  2k  by 
the  brakes,  then  it  may  not  be  able  to  turn  enough  to  remain  inside  2k ■  Thus,  in 
verifying  the  above  properties  we  need  to  restrict  our  attention  to  executions  in 
certain  good  brake  controller  in  which  brake  inputs  do  not  occur  at  low  speeds  and 
are  not  too  persistant.  This  is  formalized  by  the  next  definition. 


Definition  5.2.  A  brake  controller  is  good  if  its  composition  with  controller  gives 
rise  to  controller  executions  that  satisfy:  if  a  brake((9n)  action  occurs  at  time 
t  then  (a)  a{t).v  >  ^  +  A|af,r.afce|,  and  (b)  brake(Ojff)  must  occur  within  time 

^  lobrifcel  ('^(^)-'*^  ~  ^  ~  A|a;,rafce|)- 

We  assume  that  the  brake  controller  satisfies  the  above  assumption  and  for  the 
remainder  of  this  section,  we  only  consider  executions  in  good  brake  controller.  A 
state  X  €  Qa  is  reachable  if  there  exists  an  execution  in  good  brake  controller  a 
with  a.Istate  =  x. 


5.2  Invariance  Property 

We  fix  a  /c  S  N  for  the  remainder  of  the  section  and  denote  2k,  Fk^i  as  2  and  Fi, 
respectively,  for  i  G  {1, . . . ,  6}.  As  in  Lemma  3.2,  we  define  I  =  {s  &  X  |Ti(s)  >  0} 
and  for  each  i  G  {!,...,  6},  dh  =  {s  G  X  \  Fi{s)  =  0}  and  let  the  functions 
/i,  /2j  •  ■  • ,  /?  :  X  ^  K  as  defined  in  Appendix  A  describe  the  evolution  of 

X,  y,  6,  V,  ei,  62  and  d,  respectively.  We  prove  that  /  satisfies  the  control-free 
invariance  condition  of  Lemma  3.1  by  applying  Lemma  3.2. 

First,  we  define  the  sets  Ci, . . .  ,Ce  and  show  that  all  the  assumptions  in  Lemma  3.2 
are  satisfied.  The  proof  does  not  involve  solving  differential  equations  but  requires 
algebraic  simplification  of  the  expressions  defining  the  vector  fields  and  the  bound- 


aries  {i9/i}ie{i,,,,6}  of  the  invariant  set. 

Cl  =  C2  =  0  (17) 

C3  =  {s  e  /  I  —  fcis.ei  —  ^25-62  <  0  V  Lcot(— fcis.ei  —  fc2S.e2)  sin0fe  2  >  ^1(18) 

ki 

C4  =  {s  G  /  I  —  fcis.ei  —  ^25.62  >  0  V  Lcot(fcis.ei  +  ^25-62)  sin0fe  2  >  7— I  (19) 

ki 

C5  =  {s  G  /  I  s.v  <  vt}  (20) 

Cq  =  {s  €  I  \  s.v  >  ^  +  A\abrake\}  (21) 

From  the  definition  of  a  good  brake  controller  (Definition  5.2),  we  show  that 
when  the  value  of  the  variable  brake  is  On,  the  speed  of  the  vehicle  is  at  least 

^  +  A|af,rafce  I- 

Lemma  5.3.  At  any  reachable  state  x  of  A,  if  x.  brake  =  On  then  x.v  >  ^  + 
A\abrake  \  ■ 


Proof.  Consider  an  arbitrary  execution  fragment,  a  =  ToaiTia2  . . .  and  an  ar¬ 
bitrary  i  G  N  such  that  {n  J,  brake)  (0)  =  On.  Since  the  initial  value  of  the  variable 
brake  is  Off,  there  must  exist  j  <i  such  that  Oj  is  a  brake(On)  action  and  for  any 
natural  number  m  G  [j,i],  Om  is  not  a  hrake{Off)  action.  Let  (rj_i.lstate)  \  v  =  vi,. 
Since  Oj  is  a  brake(On)  action  which  does  not  affect  v,  we  get  (rj.fstate)  \  v  =  Vb- 
From  Definition  5.2,  Vb  >  ^  +  A\abrake\  and  there  must  exist  k  >  i  such  that  Ok  is 
a  brake(Oj(f)  action  and  T-m.ltirne  <  {vt  -  ^  -  A\abrake\).  So  for  any 

t  G  dom{Ti),  we  get 


i-l 

{n  i  v){t)  >  Vb  +  min  /4(s,  5f(/,  so))(^  +  Tm.ltirne) 

m^j 


k-1 

>  Vb  +  abrakejy^,  T^.ltlme) 

m-j 


4>b 

T 


A\abrake  \  ■ 


□ 


The  next  lemma  shows  that  the  subtangential,  bounded  distance  and  bounded 
speed  conditions  (of  Lemma  3.2)  are  satisfied  with  the  the  sets  defined 

in  (17)-(21).  The  proof  applies  Lemma  3.3.  The  knowledge  about  the  reachable 
state  X  of  .4  with  x.6rafce  =  On,  provided  in  Lemma  5.3,  is  needed  to  prove  the 
subtangential  condition  for  j  =  6. 

Lemma  5.4.  For  each  I  G  C  and  j  G  {1,...,6},  the  subtangential,  bounded  dis¬ 
tance,  and  bounded  speed  conditions  (of  Lemma  3.2)  are  satisfied. 

Proof.  Since  Ci,  C2  =  0,  we  see  that  the  bounded  distance  and  bounded  speed 
conditions  are  automatically  satisfied  for  j  =  1,2  with  any  arbitrary  large  Cj  and 
arbitrary  small  bj.  Now,  consider  an  arbitrary  sg  G  /  and  s  G  dli.  By  definition, 
Fi{s)  =  0.  From  the  definition  of  9kp  and  9k, 2  and  Assumption  5.1(b),  5.62  G 
[—9k,2,—9k,i]  C  (—-1,0].  In  addition,  since  s  G  /,  Fe{s)  =  ds.v—  4>b  >  0  and  since 


(5  >  0  and  (j)b  >  0,  s.v  >  0.  Thus, 

^(s)  •  f{s,g{l,so))  =  =  -s.t>sin(s.e2)  >  0 

For  j  =  2,  the  subtangential  condition  can  be  proved  in  a  similar  way. 

To  prove  the  bounded  distance  and  the  bounded  speed  conditions  for  j  =  3, . . . ,  6, 
we  apply  Lemma  3.3.  Let  Uj  =  {g{l,  s)  \l  G  C,  s  G  /}.  From  the  definition  of  I,  we 
get  that  for  any  sq  €  I,  —kiSQ.ei  —  k2So.e2  G  [— C  (— f ,  f).  Therefore,  /  is 
continuous  in  /  x  Uj. 

In  addition,  it  can  be  easily  checked  that  the  projection  of  /  onto  the  (ei,e2,u) 
space  is  compact  and  for  any  j  G  {3, . . . ,  6},  Cj  is  closed.  Since  the  only  variables 
involved  in  proving  the  control-free  invariance  condition  of  Lemma  3.1  are  ei,  62 
and  V  whose  evolution  along  a  trajectory  can  be  described  without  other  variables, 
from  the  proof  of  Lemma  3.2  and  Lemma  3.3,  we  see  that  the  requirement  that  I  is 
compact  can  be  relaxed  to  the  requirement  the  projection  of  /  onto  the  (ei,e2,u) 
space  is  compact.  Hence,  from  Lemma  3.3,  to  prove  that  conditions  (a)-(c)  of 
Lemma  3.2  hold,  we  only  need  to  show  that  for  any  I  G  C,  the  following  conditions 
are  satisfied  for  each  j  G  {3, . . . ,  6}: 


(1)  Qnaj,  =  0 

(2)  For  any  sq  G  I  \  Cj  and  s  G  dlj,  ^  •  /(s,  g{l,  so))  >  0 

Consider  an  arbitrary  s  G  9/3.  From  the  definition  of  I3,  —kis.ei  —  k2S.e2  =  (jik  > 
0.  So  from  Assumption  5.1(c),  Lcot(— fcis.Ci  —  ^25-62)  sin0fc,2  <  Therefore, 
C3  n  9/3  =  0.  Pick  an  arbitrary  sq  G  I  \C3-  From  the  definition  of  I  and  C3, 
0  <  — fciSQ.ei  — ^280.62  <  and  Lcot(— fciSQ.ei  — ^250-62)  sin0fc,2  <  Combining 
this  with  Assumption  5.1(a),  we  get  0  <  —kiSQ.ei  —  k2So-e2  <  f  and  |  —  kiSo-Ci  — 
^280.62!  <  (pmax-  In  addition,  since  sq  G  Feiso)  >  0  and  so  Ssq.v  >  ipb  >  <pk  ^ 
I  —  fciSQ.ei  —  k2So.e2\,  and  since  s  G  I,  s.v  >  0.  Therefore,  we  can  conclude  that 


ds. 62  s.v  ,  ^  n 

=  —  tan(-A:iSo.ei  -  *250.62)  >  0 


and  from  Assumption  5.1(b),  5.62  G  [—dk,2,0k,i]  C  (—^,0].  So  we  get 


ds.ei 
ds. 62 


=  Lcot(— fciSQ.ei  —  *250-62)  sin(s. 62) 

>  — L  cot(—*i5o. 61  —  *250.62)  sin  0fe_2 

> 


Thus, 


OF: 


ds. 62 


^•/(5,g(l,5o))=*2^  +  *l 


ds.ei  ds. 62 


dt 


dt 


dt 


*1 


ds.ei 

ds.62 


>  0. 


This  completes  the  proof  for  j  =  3. 

For  j  =  4,  we  can  follow  the  previous  proof  to  show  that  C4  C  9/4  =  0,  <  0 


and 


>  — T^,  and  so 


9F4 


VsoG/\C4,^-/(s,g(l,so))  >0. 
9s 


Next,  consider  an  arbitrary  s  €  dl^.  From  the  definition  of  dl^,  s.v  =  Vmax- 
Since  Qmax,^  >  0,  Vmax  =  vt  +  ^ttmax  >  vt ■  Therefore,  n  dh  =  0-  Pick 
an  arbitrary  sq  S  I  \  C5.  From  the  definition  of  /  and  C5,  vt  <  sq.v  <  Vmax- 
Therefore,  we  can  conclude  that 

>0. 

ds  1^  0 

This  completes  the  proof  for  j  =  5. 

Finally,  consider  an  arbitrary  s  €  DIq.  From  the  definition  of  OIq,  s.v  = 
Since  /S.,\abrake\  >  0,  ^  ^  +  Ajohrafeel-  Therefore,  n  dl^  =  0.  Consider 

an  arbitrary  sq  €  I  \  Cq.  From  Lemma  5.3  and  the  definition  of  fi,  we  see  that 
f4{s,g{l,so))  =  ttbrake  Only  if  So-v  >  X  +  ‘^\<^brake\.  But  sfoce  sq  €  I  \  Cq,  from 
the  definition  of  /  and  Cq,  sq.v  <  -^  +  ^\abrake\-  Therefore,  /4(s,  g{l,  so))  is  either 
0  or  Umax  and  so  we  can  conclude  that 

■  fis,  g{l,  So))  =  fi{s,  g{l,  sq))  >  0. 

□ 


From  the  definition  of  each  Cj ,  we  can  derive  the  lower  bound  Cj  on  the  distance 
from  Cj  to  dij  and  the  upper  bound  bj  on  the  length  of  the  vector  field  /  where 
the  control  variable  u  is  evaluated  when  the  continuous  state  s  G  Cj.  Using  these 
bounds,  we  prove  the  sampling  rate  condition. 

Lemma  5.5.  For  each  I  G  C,  the  sampling  rate  condition  (of  Lemma  3.2)  is  satis¬ 
fied. 


Proof.  For  each  j  G  {1, ... ,  6},  we  want  to  find  Cj  and  bj  which  satisfy  condition 
(b)  and  (c)  of  Lemma  3.2.  First,  we  note  that  for  j  =  1,2,  Cj  =  0,  so  Cj  can  be 
arbitrary  large  and  bj  can  be  arbitrary  small  and  therefore  any  A  G  K+  satisfies 
the  sampling  rate  condition  of  Lemma  3.2.  For  j  =  5,  6,  it  can  be  easily  shown  that 
C5  —  ^bCmaxj  bb  —  amaxj  cq  —  and  65  —  |n^7.a/i;e|,  thus,  —  A.  That  is,  A 

can  be  an  arbitrary  large  number  if  we  only  consider  j  =  1,  2,  5,  6.  So  we  only  have 
to  consider  j  =  3,4.  From  Assumption  5.1(c),  there  exists 


(j)  =  cot 


kiLsin  9k  2 


<  (fk- 


-  ^)- 


Using  symmetry,  we  get  that  for  j  =  3  and  j  =  4,  the  shortest  distance  between  Uj 
and  dIj  is  then  given  by 

Co-  =  min  II  s  —  Soil  =  — , 

s&dlj  ,soGUj 

Since  Vs  G  /,  s.e2  G  [—6k^2,9k,2]  C  (— f,f),  we  have 
bj  =  max  ||/(s,5(/,so))|| 

sGl,SoGl4j 

<  u 


_  ^max 


sin^  9k,2  +  j2  tan2((^). 


From  Assumption  5.1(d),  we  see  that  A  <  min^g^i  ej  □ 

Thus,  all  assumptions  in  the  hypothesis  of  Lemma  3.2  are  satisfied;  from  Theo¬ 
rem  3.4  we  obtain  that  execution  fragments  in  good  brake  controller  of  A  preserve 
invariance  of  X,  provided  that  the  path  and  current  segment  do  not  change  over 
the  fragment. 

Theorem  5.6.  For  any  plan-/ree  execution  fragment  (3  starting  at  a  state  x  G  X 
and  ending  at  x'  G  Qj\^,  ifx.path  =  x.new-path  and  :x..seg  =  tF .seg,  then  x'  G  X. 

Proof.  From  Lemmas  5. 4-5. 5,  we  see  that  all  the  conditions  in  Lemma  3.2  are 
satisfied.  Thus,  we  can  conclude  that  the  control-free  invariance  condition  of  Lemma 
3.1  is  satisfied.  In  addition,  from  the  specification  of  main  action,  we  see  that  a 
discrete  transition  in  the  continuous  state  s  only  occurs  when  path  ^  newjpath 
(i.e.  a  new  path  is  received)  or  s.d  <  0  (i.e.  the  vehicle  has  reached  the  end 
of  the  current  segment).  Hence,  if  a  closed  execution  (3  does  not  contain  a  plan 
action,  /3.fstate  [  path  =  /3.fstate  [  newjpath  and  /3.lstate  [  seg  =  /3.fstate  [  seg, 
then  a  discrete  transition  in  the  continuous  state  s  does  not  occur  in  (3.  Applying 
Theorem  3.4,  we  get  the  desired  result.  □ 

5.3  Segment  Progress 

In  this  section,  we  establish  the  segment  progress  property,  i.e.,  there  exist  certain 
threshold  values  of  deviation,  disorientation,  and  waypoint-distance  such  that  from 
any  state  x  with  greater  deviation,  disorientation  and  waypoint-distance,  the  vehicle 
reduces  its  deviation  and  disorientation  with  respect  to  the  current  segment,  while 
making  progress  towards  its  current  waypoint.  First,  we  prove  the  progress  property 
over  a  pasted  trajectory  r  between  any  two  main  actions.  That  is,  suppose  right 
after  an  occurrence  of  a  main  action,  x  G  X^  for  some  k  €  N.  Then,  right  before  an 
occurrance  of  the  next  main  action,  x  G  X^+i  where  Tk+i  C  X^  and  if  k  is  less  than 
some  threshold  k*,  then  Tk+i  is  strictly  contained  in  X^. 

Next,  in  Lemma  5.9,  we  compute  the  bound  d*  on  the  maximum  change  in  the 
value  of  the  waypoint  distance  d  over  r.  Given  the  progress  property  over  r  and 
the  bound  d*,  we  can  then  establish  the  segment  progress  property  (B)  defined  at 
the  beginning  of  Section  5.  That  is,  starting  from  a  state  x  and  ending  at  x',  if 
X  G  Xfc,  then  x'  G  Fk+n  where  an  integer  n  >  0  depends  on  x.d—x'.d  and  the  system 
parameters,  provided  that  path  and  current  segment  do  not  change.  Furthermore, 
if  x.d  —  x' .d  is  large  enough,  then  n  is  strictly  positive. 

First,  we  solve  the  differential  equation  which  describes  the  evolution  of  ei  and 
62  along  r.  From  periodicity  of  main  actions  we  see  that  dom{T)  =  [0,  A].  Define 
the  functions  ei,  e2,v,Vavg  ■  domir)  ^  M  as  follows:  ei(t)  =  (r  J,  ei)(t),  e2(t)  = 
{t  i  ^2){t),  v{t)  =  (r  I  v){t)  and  Vavg{t)  =  7/0  v{t')dt' .  From  the  state  models  of 
the  Vehicle  and  the  Controller  specified  in  Figure  4  and  Figure  5,  since  (j)  and  a  are 
constant  along  r,  the  solution  to  the  differential  equations  can  be  solved  analytically 
and  are  given  by 

I  ei(0) -I- Xcot(()cose2(0)  —  Lcot(()COse2(f)  if  </>  yf  0 

ei(D  =  < 

y  61  (0)  -h  Uat,g(t)t  sin  62(0) 

62  (i)  =  62(0)  -I-  ^-^Vavg{t)t 


otherwise 


(22) 


where  <j)  =  r.fstate  [  (j)  and  a  =  r.fstate  [  a. 

The  following  lemma  provides  a  bound  on  the  change  in  ei  over  r  and  on  the 
change  in  (j)  between  two  consecutive  main  actions  assuming  that  a  discrete  transi¬ 
tion  in  the  continuous  state  s  does  not  occur. 

Lemma  5.7.  Suppose  r.fstate  G  Xk  for  some  fc  G  N.  Then,  |ei(0)  —  ei(A)|  <  Ae 
and  |(fciei(0)  -I-  ^262(0))  —  (fciei(A)  -I-  fc2e2(A))|  <  A^  where  Ag  =  Vmax^  and 

A^  =  Vmax^^  (kl  +  . 

Proof.  From  (22),  we  see  that  |ei(A)  —  ei(0)|  <  Vmax^  and  |e2(A)  —  ei(0)|  < 
i^U^a.A.  So 

|(A:iei(0)  -I-  *262(0))  -  (*iei(A)  -I-  fc2e2(A))|  <  fci|ei(A)  -  ei(0)|  -I-  *2|e2(A)  -  62(0)] 

/  A  ,  7.  tan((7fe  ^^  ^ 

S  ^1‘^raax^  ~\~  k.2  ^  '^raax^- 

□ 


The  next  lemma  proves  the  desired  progress  property  over  r. 

Lemma  5.8.  Suppose  r.fstate  G  Xk  for  some  *  G  N.  Then  r.lstate  G  Tfc+i  whose 
parameters  tk+i  and  4>k+i  are  given  by 


Cfc-l-l  —  —  Ok 

4>k+l  =  (fk  —  bk 


where  ak,bk  >0  and  are  given  by 
Ok  =  Cfe  -  max 
bk  =  -  max( i,(/?) 


6fe+l  — 


max(efc  -  ^fc.Cfc)  if  ek  >  el 
Ck  otherwise 


4’k+l  — 


max  {(j)k  -  i’k,  (1)1)  if  (kk  >  (fl 
(fk  otherwise 

6fe  =  sjj  -|-  Vmax^ 


—  (fk  T  hiVmax^  “t“  *2  ^  r)max 


A 


f  kl  1 

=  —2L  max  cot(()sin  (  ——el  —  —(j) 

06[-07c,<i>7c]  \  *2  *2 

ifk  =  —  tan  (/)t^A  —  2*iLcot  (()t  sin^fc  2  sin 
L  0 


e'k  =  _  max 

4>&[-4>k,4>k\ 


b'k  =  max  I  tan  ^ 


1 


*2  tan  (j) 
kf  2L  ^ 


rA 


tan  (p 
2L 

tan  (pk 
2L 


Vmax^  I  sin 
~’amax^ 


l2kiL^d  .  ^  . 

,  ,  .  sm  Ok, 2  sm 

*2  06  A 


tan  (pk 
2L 


^max^  I  J 


A  ,A, 


(23) 

(24) 


(25) 

(26) 

(27) 

(28) 

(29) 

(30) 

(32) 

(33) 

(34) 


where  Lp  is  the  minimum  value  of  (pk+i  such  that  and  (fk+i  satisfy  Assump 
tion  5.1(c). 


Proof.  Since  by  definition  Ck+i  >  Cfc+i  and  4>k+i  >  '/'fc+n  we  see  that  if 
jr.lstate  [  ei|  <  and  |fci(T.lstate  [  ei)  +  fc2(F.lstate  [  62)]  <  4>'k+i,  then 

T.lstate  G  Ife+i-  To  show  that  Ck+i  and  (fk+i  satisfy  Assumption  5.1  and  that 
afej&fe  >  0,  we  use  the  following  observations:  (a)  ifk  >  0  and  >  0  and  thus, 
ffe+i  <  Efe  and  (t>'k_^.i  <  (fk,  (b)  given  i®  the  minimum  value  of  Ck+i 

such  that  Ck+i  and  4>'k+i  satisfies  Assumption  5.1,  (c)  given  is  the  mini¬ 

mum  value  of  4>k+i  such  that  e'k+i  and  4>k+i  satisfies  Assumption  5.1,  and  (d)  p 
decreases  as  decreases.  With  these  observations  and  the  assumption  that  Ck 
and  (fk  satisfy  Assumption  5.1,  it  can  be  easily  checked  that  (a)  Ck+i  <  Ck  and 
(t>k+i  <  (fk,  (b)  if  Ck  >  el  and  (fk  >  (fl,  then  el_^_^  <  Ck  and  <  4>k,  and  (c)  if 
Ck+i  yf  e'fe+i,  then  (fk+i  =  and  if  ((k+i  <fl+i,  then  =  el_^_^.  Thus,  we 
can  conclude  that  Ck+i  and  4>k+i  satisfy  Assumption  5.1  and  that  if  Ck  >  el  and 
f^k  ^  then  ^  ek  and  (fk+i  ^  f^k- 

So  what  remains  to  be  proved  are  jr.lstate  j"  cij  <  el_^_^  and  |A:i(T.lstate  j"  ei)  + 
A:2(T.lstate  e2)|  <  4>'k+i-  From  Theorem  5.6,  r.lstate  G  Tk.  Thus,  we  can  conclude 
that  4>'k_^_i  <  (j)k  and  el_^_l  <  ek.  This  completes  the  proof  for  the  second  case  of  (27) 
and  (28). 

Next,  we  prove  the  first  case  of  (28).  Let  <j)f  =  — fciei(O)  —  ^262(0)  and  (fi  = 
—kiei{A)  —  k2e2{A).  Suppose  \(j)f  \  >  A^.  From  (22),  we  get  that 


—ki  (ei(0)  +  Lcot  </>!  cos(e2(0)) 


Lcot  (j)i  cos(e2(A)))  —  k2 


,  .  tan  6 f 
62(0)  H - ^Va 


,A 


where  Vavg  is  the  average  speed  of  the  vehicle  over  r.  Substituting  ei(0)  =  —■^62(0)  — 
we  get 


(t>f  —  (  —  tan  H- 2A:iLcot  sin(-(e2(0) 


62  (A)))  sin 


tan  (j)f 
2L 


Since  r.fstate,  r.lstate  G  Ik,  from  the  definition  of  9k, 2,  we  see  that  |e2(0)|,  |e2(A)|  < 
9k, 2-  So  ^162(0)  +  e2(A)|  <  9k, 2.  In  addition,  from  Theorem  5.6  and  the  definition 
of  F5  and  Fg,  we  know  that  ^  <  Vavg  A  Vmax-  From  Lemma  5.8,  we  get  that  (j)f 
and  (fi  have  the  same  sign.  So  it  is  easy  to  show  that 

<  |^/|-  ^Y^an|(()/|yA  -  2fciLcot  l^/l  sin6>fc,2sin  . 


Define  the  function  d'  :  [0,  (f>k]  ^  R  by 


vI/(0) 


tl 

L 


tan  (/>-r  A 
0 


2fciLcot  ^sin  9k,2  sin 


tan  (fk 
2L 


That  is  'tpk  =  It  can  be  easily  checked  that  with  Assumption  5.1(e),  'i’icf) 

increases  with  (f  and  vanishes  when  ej)  =  tan“^ 
which  does  not  exceed  (fl  defined  in  (34).  For  (p  >  epl,  '!'((())  >  0.  From  Lemma 


2k,L^S 
fe2  06A 


Sin  tik  2  sin 


tan  4)k 
2L 


r.A 


5.7,  we  also  know  that  for  any  (j)f  €  [— 0^, 

I  I  I  /  I  7  A  7  tan  . 

\4^l\  —  Iv/I  “1“  k\Vmax^  H“  ^2  '^max^- 

Since  we  arrive  at  the  following  conclusion: 

fl'/'/l-V’fc  ifk/l></'fe 

<  Wfe  if  <  |(/>/|  < 

[  |(/)/|  +  fclfmaa;A  +  fc2^^^fmaa;A  if  |(/)/|  <  (/)J, 

Thus,  |^/|  <  max((/)fc  -  V'fe,  ^fc). 

Finally,  we  prove  the  first  case  of  (27).  From  (22),  we  get  that 
ei(A)  =  ei(0)  +  2L cot  (/)i  sin  ^62(0)  +  A^  sin  . 

Note  that  the  case  where  (()/  =  0  is  also  captured  by  this  equation  as  lim,^j.^o  2Lcot  (j)f  sin  ^f^^^UaugA 
Vavg^-  Define  the  function  S  :  [0,  Cfc]  ^  M  by 

.  f  ta.n  <p  (j)b  ^ 

V  (^T* 

That  is  =  S(efc)-  It  can  be  easily  checked  that  with  Assumption  5.1(e),  S(e)  > 

0  for  any  e  >  ej,  and  that  if  ei(0)  >  e).,  then  62(0)  <  — fj-Cfc  —  and  so 

2Lcot^/sin  (^62(0)  +  l2^Uat,gA^  sin  ('ta.n^/^at,gA^  <  -^k-  Using  symmetry,  we 

can  derive  similar  lower  bound  for  the  case  where  ei(0)  <  — ej,.  From  Lemma  5.7, 
we  also  know  that 

|ei(A)|  <  |ei(0)|  + 

'^max^ 

So  we  arrive  at  the  following  conclusion: 

nei(0)|-Cfe  if|ei(0)|>e^ 

|ei(A)|  <  <  if  e'^  <  |ei(0)|  <  el 

[  |ei(0)|  TUmoxA  if  |ei(0)|  <  el 

Thus,  |ei(A)|  <  max(efe  -  □ 

Define  k*  to  be  the  minimum  value  of  k  such  that  ek  <  el  or  (pk  <  (ffl-  (If  for 
any  k,  ek  >  el  and  (j)k  >  4>l,  just  pick  an  arbitrary  natural  number  k* .)  Then,  for 
any  k  <  k*,  ak  and  bk  are  strictly  positive,  that  is,  Ik+i  C  Ik.  The  plot  showing 
the  progress  in  the  deviation  and  disoriantation  is  shown  in  Figure  8. 

The  following  lemma  provides  the  value  of  the  bound  d*  on  the  maximum  change 
in  the  value  of  d  over  t 

Lemma  5.9.  Suppose  r.fstate  S  2k  for  some  fc  €  N.  For  any  t  G  domir),  |(t  |" 
d){t)  —  T.fstate  [  (i|  <  d*  where  d*  =  Vmax^- 

Proof.  From  Theorem  5.6,  the  definition  of  F5  and  Fq  and  the  definition  of  /y 
which  describes  the  evolution  of  d,  we  get  that  maxg^s^g/  ||/7(s,  g(l,  so))||  A  Vmax- 


E!(e)  =  —2L  max 


cot  ^ sin  (  — -^e  — 


tan  (j) 
2L  ^ 


(a)  (b) 

Fig.  8.  The  progress  in  deviation  and  disorientation,  (a)  The  relationship  between  e/g  and  k.  (b) 
The  relationship  between  0/e  and  k 

Since  dom{T)  =  [0,  A],  we  get  |(t  J,  d){t)—T.f state  \  d\  <  ll/7('S)  dih  •so))ll  A  < 

'^max^-  I— 1 

Using  Lemma  5.8  and  Lemma  5.9,  we  establish  the  relationship  between  the 
progress  of  X^’s  and  the  decrease  in  the  value  of  d. 

Lemma  5.10.  For  each  fc  €  N,  starting  from  any  reachable  state  x  €  such  that 
:s..d  >  Vmax^,  x-path  =  x.newjpath  and  :x..next  =  :s..now,  any  plan-free  execution 
fragment  (3  with  /J.ltime  =  A  satisfies  /3.lstate  G  Xfc+i  and  /?. [state  |"  d  >  x.d  — 

'^max^  ■ 

Proof.  Since  x.next  =  x.now  and  /J.ltime  =  A,  we  see  that  (3  can  be  written 
as  (3  =  f}'  or  (3  =  /3'mainrjbrake(&j)Tj+ibrake(6j+i) . .  .t„  where  (3'  is  an  execution 
fragment  with  exactly  one  main  action  Oi  which  occurs  at  time  0  and  is  immediately 
followed  by  a  main  action  in  the  execution,  /3Mtime  =  A  and  Tj,...T„  are  point 
trajectories.  Let  t  be  the  pasted  trajectory  of  all  the  trajectories  after  at  in  (3' . 
Then,  r  is  a  pasted  trajectory  of  all  the  trajectories  between  two  main  actions  and 
so  Lemma  5.8  and  Lemma  5.9  apply.  Since  the  main  action  Oi  occurs  at  time  0  in 
(3  and  brake  action  does  not  affect  the  value  of  s,  we  see  that  Tj-i. [state  |"  s  =  x.s. 

So  Ti-i. [state  [  d  >  Vmax^  >  0  and  hence  Oi  does  not  change  the  value  of  s.  That 
is,  T.fstate  =  x  G  X^.  From  Lemma  5.8,  we  get  that  /?'. [state  G  X^+i.  In  addition, 
from  Lemma  5.9,  we  see  that  /?'. [state  \  d  >  x.d  —  Vmax^-  Since  x.d  >  Vmax^,  we 
get  /?'. [state  |"  d  >  0.  Therefore,  the  main  action  following  (3'  does  not  change  the 
value  of  s.  In  addition,  since  brake  action  only  affects  the  brake  variable,  we  see 
that  /3. [state  |"  s  =  /?'. [state  [  s.  Hence,  we  can  conclude  that  /3. [state  G  X^+i  and 
/3. [state  [  d  >  x.d  —  Vmax^S..  □ 

Finally,  we  conclude  the  section  by  establishing  the  segment  progress  property 
(B)  defined  at  the  beginning  of  Section  5. 

Theorem  5.11.  For  each  fc  G  N,  starting  from  any  reachable  state  x  G  Ik,  any 
reachable  state  x'  is  in  Ik-en  where  n  =  max([^^0^^^J  —  1,0),  provided  that  path 
and  current  segment  do  not  change. 


Proof.  Consider  an  arbitrary  closed  execution  fragment  (3  starting  at  x  and 
ending  at  xb  Since  by  assumption,  /3  is  a  plan-free  execution  fragment  such  that 
/3.lstate  [  path  =  /3.fstate  [  new-path  and  /J.lstate  |"  seg  =  /3.fstate  [  seg,  from 
Theorem  5.6,  we  know  that  /J.lstate  G  Xfc.  This  completes  the  proof  for  the  case 
where  I  ^  i  _  i  <  q. 

L  Vmax^  — 

Next,  consider  the  case  where  I  ^  i  _  ^  From  the  structure  of  a  PCHA, 

we  see  that  next  =  now  every  A  time.  So,  the  first  state  in  (3  such  that  next  =  now 
occurs  no  later  than  time  A.  Using  Lemma  5.9,  we  see  that  at  this  state,  d  > 
x.d—  Vmax^-  Applying  Lemma  5.10  and  using  an  invariance  of  Xfc  for  any  k  proved 
in  Theorem  5.6,  we  get  that  /^i.lstate  G  Xk+n  where  n  =  ^ 

A  sequence  of  shrinking  Xk ’s  visited  by  A  in  making  progress  towards  a  waypoint 
is  shown  in  Figure  9. 


Fig.  9.  A  sequence  of  shrinking  Xfc’s  visited  by  A  in  making  progress  towards  a  waypoint.  is 
drawn  in  black,  whereas  is  drawn  in  red  for  i  >  0. 


5.4  Safety  and  Waypoint  Progress:  Identifying  Safe  Planner  Paths 

In  this  section,  we  derive  a  sufficient  condition  on  planner  paths  that  can  be  safely 
followed  with  respect  to  a  candidate  invariant  set  Iq  whose  parameters  cq  €  [0,  Cmax] 
and  00  G  [0, 4>max]  satisfy  Assumption  5.1  and  are  chosen  such  that  Xq  contains  the 
initial  state  Qoj\,-  Then,  we  prove  an  invariance  of  Xq  and  conclude  that  the  safety 
and  waypoint  progress  properties  (A)  and  (C)  defined  at  the  beginning  of  Section 
5  are  satisfied. 

The  proof  is  structured  as  follows.  First,  we  consider  an  execution  fragment 
where  path  does  not  change  and  starting  with  waypoint-distance  not  shorter  than 
some  threshold  D*.  Lemma  5.15  uses  the  segment  progress  property  established 
in  Section  5.3  to  prove  that  this  execution  fragment  preserves  an  invariance  of 
Xq.  Then,  in  Lemma  5.16  and  Lemma  5.17,  we  show  that  right  after  a  path  is 
changed,  the  waypoint-distance  is  not  shorter  than  D*  and  the  state  of  A  remains 
in  Xq.  Using  these  results.  Lemma  5.18  concludes  that  an  execution  fragment  which 
updates  the  path  exactly  once  by  the  first  main  action  preserves  an  invariance  of 
Xq.  Finally,  we  use  Lemma  5.15  and  Lemma  5.18  to  conclude  the  section  that  Xq  is 
in  fact  an  invariant  of  A  and  with  this  result,  we  conclude  that  the  system  satisfies 


the  safety  and  waypoint  progress  properties  (A)  and  (C)  defined  at  the  beginning 
of  Section  5. 

The  following  assumption  provides  sufficient  conditions  for  planner  paths  that 
can  be  safely  followed.  The  key  idea  in  the  condition  is:  longer  path  segments  can 
be  succeeded  by  sharper  turns.  Following  a  long  segment,  the  vehicle  reduces  its 
deviation  and  disorientation  by  the  time  it  reaches  the  end,  and  thus,  it  is  possible 
for  the  vehicle  to  turn  more  sharply  at  the  end  without  breaking  an  invariance  of 
Xo. 

Assumption  5.12.  (Planner  paths)  Let  pQ,pi,...  be  a  planner  path;  for  i  G 
{0, 1, . . .},  let  Xi  be  the  length  of  the  segment  PiPi+i  and  Oi  be  the  difference  in 
orientation  of  PiPi+i  and  that  of  Then,  for  each  i  G  {0,1,.. .}, 

(a)  Xi  ^  A  Cq. 

(b)  Let  n  =  ■  Then,  Xi  and  Ui  satisfy  the  following  conditions: 

Cn  <  1 - - - r(eo  -  Wmao;  A I  sin  CTi  I )  (35) 

I  cos  (Jj  I 

4>n  <  4>0  -  kiVmax^sin\ai\  -  kien{l  -  cos  a^)  -  k2\cri\  (36) 

where,  given  cq  and  (j)o,  £„  and  (fin  are  defined  recursively  for  any  n  >  0  by 
Cn  =  Cn-i  —  On-i  and  (fn  =  4>n-i  —  &n-i  where  are  defined  in 

Lemma  5.8. 

The  relationship  between  A  and  the  maximum  value  of  a  which  satisfies  this 
assumption  is  shown  in  Figure  10. 


Fig.  10.  Segment  length  vs.  maximum  difference  between  consecutive  segment  orientations,  for 
different  values  of  L  and  5. 


Remark  5.13.  The  choice  of  eo’s  and  ((iq’s  affects  both  the  requirements  on  a 
safe  path  (Assumption  5.12)  and  the  definition  of  a  good  brake  controller  (Defin¬ 
ition  5.2).  Larger  eo’s  and  (fo’s  allow  sharper  turns  in  planned  paths  but  forces 
brakes  to  occur  only  at  higher  speeds.  That  is,  relaxing  the  constraint  on  a  path 
results  in  the  tighter  constraint  on  a  brake  action.  This  tradeoff  is  related  to  the 
design  flaw  of  Alice  as  discussed  in  the  introduction  of  the  paper.  Without  having 


quantified  the  tradeoff,  we  inadvertently  allowed  a  path  to  have  sharp  turns  and 
also  brakes  at  low  speeds — thus  violating  safety. 

To  establish  that  Xq  is  an  invariant  of  A,  we  further  assume  that  (a)  new  planner 
paths  begin  at  the  current  position,  (b)  Vehicle  is  not  too  disoriented  with  respect 
to  new  paths,  and  (c)  Vehicle  speed  is  not  too  high  as  stated  in  Assumption  5.14. 

Assumption  5.14.  (plan  action  and  new  path) 

(a)  Any  new  path  p  =  piP2  ■ .  ■  satisfies  pi  =  [xp,  yp]  where  Xp  and  yp  are  the  values 
of  the  variable  x  and  y,  respectively,  when  the  path  is  received  (i.e.  when  the 
plan  action  occurs).  That  is,  for  any  new  input  path,  the  path  must  begin  at 
the  current  position  of  the  vehicle. 

(b)  Let  Vp  and  9p  be  the  speed  and  the  orientation  of  the  vehicle,  respectively,  when 
a  plan  action  occurs.  Then, 


where  given  eg  and  (po,  0o,2  is  defined  as  in  (16).  In  addition,  let  p  =  piP2  ■  ■  ■ 
be  the  received  path  and  let  p  be  the  vector  which  represents  a  straight  line 
defined  by  pi  and  p2-  Then, 

-  0p\<^  -  {vp  +  OmoxA)A  (^^^l  +  sin^  6*0,2  +  . 

First,  we  consider  an  execution  fragment  where  path  does  not  change  and  starting 
with  a  large  enough  waypoint-distance.  The  following  lemma  uses  the  progress 
property  established  in  Section  5.3  to  shows  that  before  switching  to  the  next 
segment,  x  €  where  n  >  0  depends  on  the  segment  length.  Since  we  restrict  the 
sharpness  of  the  turn  with  respect  to  segment  length  (Assumption  5.12),  we  can 
then  conclude  that  this  execution  fragment  preserves  an  invariance  of  Xq. 

Lemma  5.15.  Consider  a  plan-/ree  execution  fragment  (3  starting  at  a  state  x  €  Xq. 
Suppose  :s..path  =  'x..newjpath  and  x.d  >  D*  where  D*  =  Ai  —  eo  —  Vmax^  and  Ai 
is  the  length  of  the  segment  x.seg.  Then  /3.lstate  S  Xq. 

Proof.  First,  observe  that  (3  can  be  written  as  (3  =  I3iai(32a2  ■  ■  ■  f3m  where 
for  any  i,  Oi  is  a  main  action  and  (3i  is  a  plan-free  execution  fragment  such  that 
/3i.lstate  [  path  =  /J^.fstate  [  newjpath  and  /J^.lstate  [  seg  =  /3i.fstate  [  seg.  From 
Theorem  5.6,  we  get  that  for  any  i,  if  /^^.fstate  G  Xq,  then  /3.lstate  G  Xq.  So, 
suppose  /3i.fstate  G  Xq,  /3i.fstate  [  path  =  /3i.fstate  [  new-path  and  /^i.fstate  [  d  > 
Ai  —  eo  —  Vmax^-  We  only  need  to  show  that  for  any  i  >  1,  /^i.fstate  G  Xq. 

Consider  the  base  case  i  =  2.  If  /32.fstate  [  seg  =  /3i.lstate  [  seg,  then  oi  does  not 
change  the  continuous  state  s,  and  so  /32.fstate  G  Xg.  Otherwise,  /?2.fstate  [  seg  = 
/3i.fstate  I"  seg  +  1.  But  from  the  update  rule  of  the  variable  seg  and  Lemma  5.9,  it 
can  be  easily  shown  that  —Vmax^  <  /3i.lstate  [  d  <  0.  Applying  Theorem  5.11,  we 
get  that  /3i.lstate  G  X„  where  n  =  j  j^y  Assumption  5.12(a), 

Al  60  2Vryiax^  0- 

Let  xi  =  /dl.lstate  and  X2  =  /32.fstate  and  let  cti  be  the  difference  between  the 
orientation  of  /^i.fstate  [  seg  and  /3i.fstate  [  seg+1.  From  the  update  rule  for  ei  and 


the  definition  of  p,  q  and  r  in  Figure  5,  it  can  be  shown  that  X2.ei  =  xi.dsincri  + 
xi.eiCOSCTi.  But  since  /di.lstate  €  from  the  definition  of  |xi.ei|  <  e„. 
Therefore,  using  the  bounds  on  xi.d  provided  earlier  in  the  proof,  we  get  |x2.ei|  < 
UmoxA|  sin  (71 1  +e„|coscTi|.  Hence,  from  Assumption  5.12(b),  |x2.ei|  <  eg,  that  is, 
Fi(x2.s),F2(x2.s)  >  0. 

Next,  we  prove  that  F3(x2.s),  F4(x2.s)  >  0.  From  the  definition  of  X„,  we  know 
that  — Ij-xi.ci  —  <  xi.e2  <  — -^xi.ci  +  From  the  update  rule  for  62,  it 

can  be  easily  shown  that  X2.e2  =  xi.e2  —  ui.  Thus,  we  get  that  — -^xi.ci  —  -^4>n  — 
CTi  <  X2.e2  <  —  IjXi.ei  +  —  cti-  Using  the  bounds  on  X2.ei,  X2.e2  and  xi.ci,  we 

can  derive  that  fciX2.ei  +  ^2X2-62  <  kiVmax^sui  |(Ti|  +  fcie„(l— cos(Ji)  +  (/)„  +  fc2|(7i| 
and  A:iX2.ei  +  A:2X2.e2  >  — /ciUmoxAsin  \ai\  —  A:ie„(l  —  coscri)  —  (j)n  —  fc2|o'i|.  That 
is. 


1^1X2.61  +  ^2X2.621  <  fciUmoxAsin  |(Ti|  +  A:ie„(l  -  coscTi)  +  ^„  +  felcTil 

Therefore,  Assumption  5.12(b)  guarantees  that  |fciX2.ei  +  ^2X2. 62]  <  ^o-  That 
is,  F^{yL2.s),Fi{yL2.s)  >  0.  In  addition,  since  a  main  action  does  not  affect  v, 
+5(x2.s)  =  F5(xi.s)  and  Fe{ii2.s)  =  Fe{iii.s),  so  F5(x2.s), F6(xi.s)  >  0. 

Therefore,  by  definition  ofXo,  we  get  /32.fstate  G  Xq-  In  addition,  from  the  bounds 
on  xi.ci?  and  xi.ei,  it  can  be  easily  shown  that  /32.fstate  \  d  >  X2  —  cq  — WmoxA  where 
A2  is  the  length  of  the  segment  /32.fstate  [  seg. 

Next,  consider  an  arbitrary  i  >  2  and  assume  that  /3i_i.fstate  G  Xq  and  if  z  =  2 
or  z  >  2  and  /3j_i.fstate  [  seg  yf  /3j_2.lstate  [  seg,  then  /3i_i.fstate  [  (f  >  Ai_i  — 
60  ~  Vmax^  where  Ai_i  is  the  length  of  the  segment  /3j_i.fstate  [  seg.  Simply 
following  the  previous  proof  for  z  =  2,  we  get  /^^.fstate  G  Xq  and  if  /^^.fstate  [  seg  yf 
/3j_i.lstate  [  seg,  then  /^^.fstate  \  d>  Xi  —  eo  —  Vmax^  where  Xi  is  the  length  of  the 
segment  /^i.fstate  [  seg. 

By  mathematical  induction,  we  conclude  the  proof  that  for  any  z  >  1,  /^^.fstate  G 
Xo.  □ 

The  next  two  lemmas  show  that  Assumption  5.14  is  sufficient  to  guarantee  that 
if  a  path  is  changed,  then  all  the  assumptions  in  the  Lemma  5.15  are  satisfied. 

Lemma  5.16.  For  each  state  x,  x'  G  Q  such  that  x.path  yl  :x..newjpath,  ifxGFo 
and  X  "A"  x',  then  x'.ci  >  A  —  Vmax^  >  0  where  X  is  the  length  of  the  first  segment 
of  x.new-path. 

Proof.  Consider  an  arbitrary  execution  a  =  ToaiTia2  . . ..  Pick  an  arbitrary 
natural  number  z  such  that  oz  is  a  main  action  and  let  x  =  Ti_i.lstate  and  x'  = 
Ti.fstate.  We  want  to  show  that  if  x  [  path  y^  x  |"  new -path,  then  xXd  >  A  — 
Vmax^  >  0.  Notice  that  :s..path  yl  x.new-path  if  and  only  if  there  exists  a  natural 
number  j  <  i  such  that  aj  is  a  plan  action  and  for  any  natural  number  k  €  {j  + 
1, . . . ,  z  — 1},  Ofe  is  not  a  main  action.  Using  Assumptions  5.14(a),  we  get  (ry.fstate  [ 
a;,Ty.fstate  \  y)  =  Pi,i  where  pzp  is  the  first  waypoint  in  x.new-path.  Since  main 
action  occurs  every  A  time,  the  time  between  oz  and  aj  is  at  most  A.  Therefore, 
from  Theorem  5.6,  the  definition  of  X5  and  Fq  and  the  definition  of  /i  and  /2 
which  describe  the  evolution  of  x  and  y,  we  see  that  || (x.x, x.z/)  —  Pi^i\\  <  Vmax^- 
Furthermore,  from  Assumption  5.12(a),  we  know  that  A  =  ||pi,2— Pi,i||  >  I’maxA+eo 


where  pi^2  is  the  second  waypoint  in  pi.  Thus,  x.d  >  \\pi^2  —  Pi, ill  ~  ||(x.x,x.i/)  — 

Pi,l  II  ^  '^max^  >0.  CH 

Lemma  5.17.  For  each  state  x,  x'  G  Q  such  that  x.path  ^  x.new-path,  z/x  G  Iq 
and  X  x' ,  then  x'  G  Tq. 

Proof.  Consider  an  arbitrary  execution  a  =  ToaiTia2  ■  ■  ••  Pick  an  arbitrary 
natural  number  i  such  that  Oj  is  a  main  action  and  let  x  =  Ti_i.lstate  and  x'  = 
Ti.fstate.  We  want  to  show  that  if  x  G  Xq  and  x.path  yf  x.new-path,  then  x'  G  Xq. 
So  suppose  X  G  Xq.  Notice  that  x.path  yf  x.newjpath  if  and  only  if  there  exists  a 
natural  number  j  <  i  such  that  aj  is  a  plan  action  and  for  any  natural  number  k  G 
{j  + 1, . . . ,  z  —  1},  ttfe  is  not  a  main  action.  Let  pji  and  Pj2  be  the  first  two  waypoints 
of  the  new  path.  Consider  a  closed  execution  fragment  /3  =  Tjaj+i  . .  .Ti-i.  From 
Assumption  5.14(a),  we  get  that  pji  =  Tj.fstate  [  {x,y).  Since  main  action  occurs 
every  A  time,  we  see  that  /3.ltime  <  A.  From  the  differential  equations  describing 
the  evolution  of  x  and  y,  we  get  that 

|(Tj.fstate  [  x)  —  (x.x)l  <  ((ry.fstate  [  v)  +  ama£cA)A 
Kry.fstate  [  y)  -  (x.z/)|  <  sin6»o.2((rj.fstate  [  v)  +  amoxA)A 

So  from  the  definition  of  r  in  Figure  5,  we  get  that 

||f||  <  (Tj-.fstate  [  v)  +  amoxA)A  +  sin^  6»o,2 

Using  Assumption  5.14(b),  we  can  conclude  that  ||r)|  <  cq.  So  from  the  update  rule 
for  Cl,  |x'.ei|  <  ||r||  and  so 

|x'.ei|  <  (rj.fstate  [  v)  +  amax^)^\/^  +  sin^  9o,2  <  eo,  (37) 

that  is  Fi(x'.s),  F2(x'.s)  >  0. 

Similarly,  from  the  differential  equation  describing  the  evolution  of  9,  we  get  that 
Kry.fstate  [  9)  —  (x.0)|  <  tan (()o((Tj-.fstate  [  v)  +  amoxA)A 

1j 

Using  condition  (1)  of  Assumption  5.14(b),  we  can  conclude  that 

|Zp—  (x.0)|  =  |(Zp—  (Tj.fstate  [  9))  +  ((ry.fstate  \  9)  —  (x.6l))| 

<  |(Zpj  -  (ry.fstate  [  0))|  +  |((rj.fstate  [  9)  -  (x.P))! 

<  -  ^((rj.fstate  [  v)  +  amaxA)A^l  +  sin^  6»o,2 

So  we  get 

|fc2x'.e2|  <  4>o-  A:i((Tj-.fstate  [  u)  +  amax^)^\l  1  +  sin^  6*0,2 
Combining  this  with  (37),  we  get  that 

Ifci(x'.ei)  +  A:2(x'. 62)1  <  |A:i(x'.ei)|  +  |fc2(x'. 62)1  <  0o, 
that  is,  F^{x' .s),F/i{x' .s)  >  0. 


In  addition,  since  main  action  does  not  affect  v,  we  see  that  ^5(x'.s)  =  F^{yL.s) 
and  Fq{-x' .s)  =  Fq{x.s),  so  F5(x'.s),  F6(x'.s)  >  0.  Therefore,  by  definition  of  Xq, 
we  get  that  x'  e  Jq-  D 

Using  the  previous  three  lemmas,  the  following  lemma  concludes  that  an  execu¬ 
tion  fragment  which  updates  the  path  exactly  once  by  the  first  main  action  preserves 
an  invariance  of  Fq. 

Lemma  5.18.  Consider  a  plan-/ree  execution  fragment  (3  starting  at  a  state  x  G  Xq. 
Ifx.path  yf  x.newjpath,  then  /3.lstate  G  Xq. 

Proof.  (3  can  be  written  as  (3  =  /3imain/32  where  /3i  =  tq bra keri brake . . .  t„  and 
(3^  is  a  plan-free  execution  fragment  with  /32.fstate  [  path  =  /32.fstate  [  new -path. 
Clearly,  /3i.lstate  [  path  yf  /3i.lstate  [  newjpath.  In  addition,  /^i.fstate  G  Xq  and 
thus,  from  Theorem  5.6,  /3i.lstate  G  Xq.  Applying  Lemma  5.16  and  Lemma  5.17, 
we  see  that  /32.fstate  [  d  >  Ai  —  Vmax^  >  Ai  —  eo  ~  Vmax^  and  /32.fstate  G  Xq  where 
Ai  is  the  length  of  the  first  segment  of  x.new-path.  Therefore,  from  Lemma  5.15, 
/d.lstate  G  Xq.  □ 

Finally,  we  conclude  that  Xq  is  an  invariant  of  A. 

Theorem  5.19.  Suppose  the  initial  state  xq  G  Xq  and  xg.d  >  Xi  —  tQ—Umax^^  where 
Ai  is  the  length  of  the  first  segment  of  the  initial  path.  Then,  Xq  is  an  invariant  of 

A. 

Proof.  Any  execution  a  can  be  written  as  a  =  /3i  plan/32  plan  •  •  ■  where  /3i  is  a 
plan-free  execution  fragment  with  /3i.fstate  |"  path  =  /Ji.fstate  |"  new -path  and  for 
any  /  >  2,  /3i  is  a  plan-free  execution  fragment  with  /3i.fstate  [  path  yf  /J^.fstate  [ 
new-path.  Since  plan  action  does  not  affect  the  variable  s,  if  /3i.lstate  G  Xq,  then 
/32.fstate  G  Xq  and  using  Lemma  5.18,  we  get  that  for  any  i  >  2,  /Jj.lstate  G  Xq. 
Thus,  we  only  need  to  show  that  /3i.lstate  G  Xq.  But  this  is  true  from  Lemma  5.15 
since  /3i.fstate  [  d  =  xg.d  >  Ai  —  eo  —  Vmax^  and  /3i.fstate  G  Xq.  □ 

Since  for  any  state  x  G  Xq,  |x.ei|  <  eo  <  Cmax,  invariance  of  Xq  guarantees 
the  safety  property  (A).  For  property  (C),  we  note  that  for  any  state  x  G  Xq, 
there  exists  Vmin  >  0  such  that  x.v  >  Vmin  >  0  and  |x.e2|  <  do, 2  <  f ,  that  is, 
d  =  frlx.Sju)  <  —Umin  cos  6*0,2  <  0  for  any  u  G  U.  Thus,  it  follows  that  the 
waypoint  distance  decreases  and  the  vehicle  makes  progress  towards  its  waypoint. 

The  simulation  results  are  shown  in  Figure  11  which  illustrate  that  the  vehicle 
is  capable  of  making  a  sharp  left  turn,  provided  that  the  path  satisfies  Assump¬ 
tion  5.12.  In  addition,  we  are  able  to  replicate  the  stuttering  behavior  described  in 
the  Introduction  when  Assumption  5.12  is  violated. 

6.  CONCLUSIONS 

Motivated  by  a  design  bug  that  caused  an  undesirable  behavior  of  Alice,  an  au¬ 
tonomous  vehicle  built  at  Caltech  for  the  2007  DARPA  Urban  Challenge,  this 
paper  introduced  Periodically  Controlled  Hybrid  Automata  (PCHA),  a  subclass  of 
Hybrid  I/O  Automata  that  is  suitable  for  modeling  sampled  control  systems  and 
embedded  systems  with  periodic  sensing  and  actuation.  New  sufficient  conditions 
for  verifying  invariant  properties  of  PCHAs  were  presented.  These  conditions  can 
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Fig.  11.  The  positions  of  the  vehicle  as  it  follows  a  path  to  execute  a  sharp  left  turn.  The 
solid  line  and  the  dashed  line  represent,  respectively,  the  path  and  the  positions  of  the 
vehicle.  The  initial  path  is  drawn  in  thick  solid  (black)  line.  The  positions  of  the  vehicle 
are  plotted  in  thin  dashed  (blue)  line  except  when  brake  is  triggered  in  which  case  they  are 
plotted  in  thick  dashed  (red)  line.  Left.  The  path  satisfies  Assumption  5.12.  Right.  The 
path  does  not  satisfy  Assumption  5.12  and  the  replan  occurs  due  to  excessive  deviation. 
The  replanned  paths  are  drawn  in  thin  solid  (grey)  line. 


be  automatically  checked  using,  for  example,  the  constraint-based  approach,  quan¬ 
tifier  elimination,  or  sum  of  squares  decomposition.  The  intuition  behind  these 
conditions  is  that  for  an  execution  fragment  to  leave  an  invariant  set  I,  it  needs 
to  cross  the  boundary  dl  of  X.  Hence,  to  verify  invariance  of  X,  it  is  suffice  to 
identify  a  subset  C  of  X  such  that:  (1)  there  is  enough  separation  between  C  and 
dX  to  ensure  that  if  a  control  law  is  evaluated  when  the  state  is  inside  C,  then  it 
is  evaluated  again  before  an  execution  fragment  reaches  dX,  and  (2)  if  the  control 
law  is  evaluated  when  the  state  is  outside  C,  then  the  vector  field  on  dX  points 
inwards  with  respect  to  dX.  These  conditions  can  be  generalized  to  the  case  where 
a  collection  of  subsets  C’s  corresponding  to  different  parts  of  dX  is  needed  to  prove 
invariance  of  X.  An  example  presented  in  the  paper  describes  how  an  invariant  set 
can  be  automatically  determined  using  the  constraint-based  approach. 

We  then  applied  the  proposed  technique  to  verify  a  sequence  of  invariant  proper¬ 
ties  of  the  planner-controller  subsystem  of  Alice.  Geometric  properties  of  planner 
generated  paths  are  derived  which  guarantee  that  such  paths  can  be  safely  followed 
by  the  controller.  The  analysis  revealed  that  the  software  design  was  not  inherently 
flawed;  the  undesirable  behavior  was  caused  by  an  unfortunate  choice  of  certain  pa¬ 
rameters.  The  simulation  results  verified  that  with  the  proper  choice  of  parameters, 
the  observed  failure  does  not  occur. 

An  interesting  direction  for  future  research  is  towards  automatic  invariant  proofs 
of  PCHAs  combining  the  proofs  for  invariance  of  control  steps  and  for  invariance  of 
control- free  fragments  based  on  the  results  of  Lemma  3.1.  Invariance  of  control  steps 
can  be  partially  automated  using  a  theorem  prover  (e.g.  PVS  [Owre  et  al.  1996]) 
while  invariance  of  control-free  fragments  can  be  automated  using  software  tools  for 
solving  sum  of  squares  problems  (e.g.  SOSTOOLS  [Prajna  et  al.  2002])  or  software 
tools  for  quantifier  elimination  (e.g.  QEPCAD  [Brown  2003],  the  constraint-based 
approach  [Gulwani  and  Tiwari  2008]).  We  are  currently  examining  a  collection  of 


PCHAs  with  polynomial  dynamics  for  which  this  direction  is  promising.  Another 
direction  of  future  research  is  related  to  the  progress  property.  Although  the  basic 
principle  is  straightforward,  the  details  of  the  progress  proof  in  Sections  5.3  and  5.4 
are  quite  involved.  This  is  partly  owing  to  the  difficulty  of  finding  the  appropriate 
Lyapunov  functions.  In  the  future,  we  plan  on  investigating  this  further  and  use 
ideas  from  [Chandy  et  al.  2008]  for  the  progress  proof.  A  longer  term  goal  is  to 
integrate  all  these  proof  techniques  within  the  TEMPO  [TEM  2008]  environment. 
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APPENDIX 

A.  VEHICLE||CONTROLLER  AS  A  PCHA 

Here  we  show  that  the  composed  automaton  A  =  Vehicle||  Controller  is  a  periodically 
controlled  hybrid  automaton.  We  define  an  automaton  A'  that  is  identical  to  A 
except  that  its  variables,  actions,  and  transition  functions  are  renamed  to  match 
the  definition  of  the  generic  PCHA  of  Figure  1. 

Variables.  A'  has  the  following  variables. 

(a)  A  continuous  state  variable  s  =  {x,  y,  9,  v,  ei,  62,  d)  of  type  A  = 

(b)  A  discrete  state  variable  loc  =  {brake,  path,  seg)  of  type  C  =  Tuple[{On,  Off},  Seq[]R^],  N]. 

(c)  A  control  variable  is  m  =  {a,  (p)  of  type  U  =  R‘^. 

(d)  Two  command  variables  zj  =  brake  of  type  Zj  =  {On,  Off}  and  Z2  =  path  of 
type  Z2  =  Seq[]R^]. 

Actions  and  transitions.  A  has  two  input  update  actions,  brake(&)  and  plan(p), 
and  the  command  variables  zi  and  Z2  store  the  values  b  and  p,  respectively,  when 
these  actions  occur. 

An  internal  control  action  main  occurs  every  A  time,  starting  from  time  0.  That 
is,  values  of  Aj  and  A2  as  defined  in  a  generic  PCHA  are  Aj  =  A  and  A2  =  0.  The 
control  law  function  g  and  the  state  transition  function  h  of  A  can  be  derived  from 
the  specification  of  main  action  in  Figure  5.  Let  g  =  {ga,  gf)  where  x  A  ^  M 


and  £  X  A”  — >  K  represent  the  control  law  for  a  and  <j),  respectively,  and  are 
given  by 


{dbrake  if  l-brakc  =  On 

amax  if  l-brake  =  Off  A  sq.v  <  vt 
0  otherwise 

9cl>{fs)  =  T^min((5  X  s.z),  |(/)d|) 

ml 


where  (fd  =  -k1s.e1-k2s.e2.  Let  h  =  h/,3,  hs,i, .. .,  hg^r)  where  hs,i, .. ., 

£  X  X  X  Zi  X  Z2  describe  the  discrete  transition  of  x,  y,  6,  v,  ei,  62 

and  d  components  of  s,  respectively,  and  hi^i  :  £  x  X  x  Zi  x  Z2  ^  {On,  Off}, 
hi^2  '.  £  X  X  X  Zi  X  Z2  ^  Seq[K^]  and  hi^s  :  £  x  X  x  Zi  x  Z2  ^  N  describe  the 
discrete  transition  of  brake,  path  and  seg,  respectively.  Then,  the  function  h  is 
given  by 


hg^l{l,S,Zi,Z2) 

hg^3{l,S,Zi,Z2) 


hg^5{l,S,Zi,Z2) 


hg^e{l,s,zi,Z2) 

hgj{l,S,Zi,Z2) 

hl^l{l,S,Zi,Z2) 


hl,3{l,S,Zi,Z2) 


s.x,  hg^2{l,s,zi,Z2)  =  s.y, 

S.V,  /is, 4(1,  S,  Zi,Z2)  =  S.6, 

s.ei  if  l.path  =  Z2  t\  s.d  >  0 
11^  (7  •  r  otherwise 

5.62  if  l.path  =  Z2  t\  s.d  >  0 

S.0  —  Zp  otherwise 

s.d  if  l.path  =  Z2  l\  s.d  >  0 

1  ’ 
j^P  ■  f  otherwise 

Zl,  hl^2(l,S,Zi,Z2)  =  Z2, 


{1  if  l.path  yf  Z2 

l.seg  +1  if  l.path  =  Z2  A  s.d  <  0 
l.seg  otherwise 


where  the  temporary  variable  p,  q  and  r  are  computed  as  in  the  Controller  specifi¬ 
cation  based  on  the  updated  value  of  path  and  seg. 

Trajectories.  From  the  the  state  models  of  Vehicle  and  Controller  automata  spec¬ 
ified  on  line  14  of  Figure  4  and  lines  48-50  of  Figure  5,  we  see  that  A  only  has 
one  state  model.  For  any  value  of  I  G  £,  the  continuous  state  s  evolves  ac¬ 
cording  to  the  differential  equation  s  =  f{s,u)  where  /  =  (/i, /2j  •  ■  •  j /?)  and 
fi, . . . ,  :  X  xU  ^  R  are  associated  with  the  evolution  of  the  x,  y,  9,  v,  ei,  62  and 
d  components  of  s,  respectively.  Using  the  definition  of  the  control  law  function  g 


defined  above,  we  can  derive  the  following  components  of  f{s,g{l,so)): 
fi{s,g{l,so))  =  s.vcos{s.6),  f2{s,g{l,so))  =  s.vsm{s.0) 

S  .V 

h{s,g{l,so))  =  fe{s,g{l,so))  = 

L  \(pd\ 


.)) 


{dbrake  if  l-bvakc  =  Otl  A  s.v  >  0 
dmax  if  l-brake  =  Off  A  sq.v  <  vt 
0  otherwise 
f5{s,g{l,so))  =  s.wsin(s.e2) 
f7{s,g{l,so))  =  -s.vcos(s.e2) 


where  4>d  =  —kiSQ.ei  —  k2So-e2- 


